CVE-2022-34298

An attacker can supply a password containing newline characters (`\n`, `\r\n`) or other control characters. When the NT authentication module writes this password to a temporary Samba password file, the embedded newlines break the file's line-oriented format, allowing the attacker to inject arbitrary `username = ...` lines. This effectively replaces the Samba username associated with the authentication, enabling privilege escalation or impersonation. The attack requires only the ability to submit a crafted password during NT authentication; no special network position is needed beyond normal access to the login interface.

The vulnerability resides in `openam-authentication/openam-auth-nt/src/main/java/com/sun/identity/authentication/modules/nt/NT.java`. The `process()` method writes the `userPassword` value directly into a temporary file without escaping special characters. The password is written via `OutputStreamWriter` using the `ISO-8859-1` charset.

The patch introduces an `escapeSpecial()` method that uses Apache Commons Text's `AggregateTranslator` with `JAVA_CTRL_CHARS_ESCAPE` to escape control characters (e.g., `\n` becomes `\\n`, `\r` becomes `\\r`) before writing the password to the temporary file. This prevents newline injection into the Samba password file. Additionally, the `OutputStreamWriter` charset is changed from `ISO-8859-1` to `UTF-8` to properly handle non-ASCII characters. A new dependency on `commons-text` is added to the module's `pom.xml`.