pam_usb Authentication Bypass and Root File Corruption Vulnerability

A vulnerability in pam_usb prior to version 0.8.7 allows for authentication bypass and corruption of root-owned files. This issue arises from symlink attacks on the pad directory and pad files, exploiting weaknesses in how the application handles filesystem paths. The vulnerability is fixed in version 0.8.7.

Impact

Exploitation of this vulnerability bypasses authentication, allowing unauthorized access. Additionally, it leads to the corruption of arbitrary root-owned files on the next successful authentication.

Reproduction

The vulnerability can be reproduced by creating a symlink from the pad directory to an attacker-controlled location. Pad files can then be manipulated to include arbitrary content, which is read by the application during the authentication process. This tricks the system into believing a legitimate USB device is being used, thereby bypassing authentication. Furthermore, symlinks can be placed in the pad update file directory, pointing to root-owned files. When the PAM module writes data to these files, it corrupts them, causing potential disruption or damage to the system.

Remediation

Users can upgrade to pam_usb version 0.8.7, which addresses the vulnerability by changing the pad directory check to use 'lstat()' instead of 'stat()', preventing symlink exploitation. The method of opening pad files has also been revised to reject pre-placed symlinks, and the comparison of pad files now includes checks to avoid reading uninitialized memory.