Allele Security Alert
debug_file file descriptor leak
pam-u2f versions before 1.0.8
pam-u2f version 1.0.8
Proof of concept
If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user’s process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file.
In some contexts the program utilizing PAM closes off leaked file descriptors but it does work with su, for example, use the following line in the PAM stack:
auth optional pam_u2f.so debug debug_file=/tmp/u2f-debug.txt
Then prepare the debug file such that the PAM module can open it:
root# touch /tmp/u2f-debug.txt
Then perform su on yourself as an unprivileged user:
user$ su user Password: XXX user$ ls -l /proc/$$/fd [...] l-wx------ 1 user users 64 8. Mai 11:44 3 -> /tmp/u2f-debug.txt
As you can see the new user shell now has an open file descriptor for the debug file.
Matthias Gerstner (SUSE Security Team)
pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
Do not leak file descriptor when doing exec
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 8, 2019