Allele Security Alert
Symlink attack on u2f_keys leading to possible information leak
pam-u2f versions before 1.0.8
pam-u2f version 1.0.8
Proof of concept
The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()’ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.
If the PAM modules’ `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users’ u2f_keys files in the authentication process.
For example use the following line in the PAM stack:
auth optional pam_u2f.so debug
Then prepare a suitable symlink:
user$ mkdir -p ~/.config/Yubico user$ ln -s /etc/shadow ~/.config/Yubico/u2f_keys
Then authenticate the user on a text console:
host login: user Password: XXX [...] debug(pam_u2f): Authorization line: avahi:!:18019:::::: [...]
Notice the lines from /etc/shadow being output on the terminal.
Matthias Gerstner (SUSE Security Team)
pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
Drop privileges by default when opening user-related files
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 8, 2019