oss-sec mailing list archives
pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
From: Matthias Gerstner <mgerstner () suse de>
Date: Wed, 5 Jun 2019 11:59:31 +0200
Hello, pam-u2f [1] is a PAM module that allows to integrate universal 2nd factor authenticators like YubiKey into the PAM stack. In the context of a source code review [2] due to the inclusion of pam-u2f into SUSE Linux two security issues in this PAM module have been uncovered as described in the following sections. CVE-2019-12210: debug_file file descriptor leak ----------------------------------------------- If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file. In some contexts the program utilizing PAM closes off leaked file descriptors but it does work with su, for example, use the following line in the PAM stack: ``` auth optional pam_u2f.so debug debug_file=/tmp/u2f-debug.txt ``` Then prepare the debug file such that the PAM module can open it: root# touch /tmp/u2f-debug.txt Then perform su on yourself as an unprivileged user: user$ su user Password: XXX user$ ls -l /proc/$$/fd [...] l-wx------ 1 user users 64 8. Mai 11:44 3 -> /tmp/u2f-debug.txt As you can see the new user shell now has an open file descriptor for the debug file. CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak ------------------------------------------------------------------------------- The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users. If the PAM modules' `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users' u2f_keys files in the authentication process. For example use the following line in the PAM stack: ``` auth optional pam_u2f.so debug ``` Then prepare a suitable symlink: ``` user$ mkdir -p ~/.config/Yubico user$ ln -s /etc/shadow ~/.config/Yubico/u2f_keys ``` Then authenticate the user on a text console: host login: user Password: XXX [...] debug(pam_u2f): Authorization line: avahi:!:18019:::::: [...] Notice the lines from /etc/shadow being output on the terminal. Bugfixes and Mitigations ------------------------ The bugfix for CVE-2019-12210 is found in [3]. It solves the issue by passing `O_CLOEXEC` and more conservative flags to related `open()` calls. The bugfix for CVE-2019-12209 is found in [4]. It solves the issue by dropping privileges to the to-be-authenticated user before accessing the `u2f_keys` file. Both bugfixes are contained in the upstream release 1.0.8 [5]. A major mitigation for both issues is to remove the `debug` and `debug_file` options for `pam_u2f.so` in the PAM configuration. Furthermore enabling the `openasuser` option will mitigate the symlink attack in CVE-2019-12209. Timeline and Responsible Disclosure ----------------------------------- Communication with upstream was responsive and constructive over the complete timeline. 2019-05-08: I reported the findings privately to the upstream maintainer. 2019-05-20: security () yubico com has been involved and we worked out and reviewed patches together that have been agreed upon by this time. 2019-05-22: Yubico assigned CVEs for the issues. 2019-06-04: This was the established publication date and Yubico released a fixed version as planned. References ---------- [1]: https://developers.yubico.com/pam-u2f/ [2]: https://bugzilla.suse.com/show_bug.cgi?id=1087061 [3]: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 [4]: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 [5]: https://developers.yubico.com/pam-u2f/Release_Notes.html -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nuernberg)
Attachment:
signature.asc
Description:
Current thread:
- pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak Matthias Gerstner (Jun 05)