pam_usb Shell Injection Vulnerability in Configuration Tools Allowing Root Remote Code Execution

A vulnerability in pam_usb versions prior to 0.8.7 allows for root remote code execution through shell injection via crafted UUIDs or usernames. This issue arises because two Python helper tools, pamusb-conf and pamusb-agent, improperly handle user-controlled data by passing it directly into shell commands. Exploitation can occur by manipulating the UUID of a USB device or the username in the pam_usb configuration.

Impact

Exploitation of this vulnerability leads to root remote code execution. This can be achieved by injecting a payload into the UUID of a USB device, which is executed when the device is added, or by inserting a malicious username into the configuration, which is executed by the pamusb-agent tool.

Reproduction

To reproduce this vulnerability, first, create a USB device with a crafted filesystem UUID that includes a payload, such as a command to write the output of the id command to a file, and ensure the device is recognized by the system. Then, add this device to the pam_usb configuration using the 'pamusb-conf' tool, which will execute the injected payload with root privileges. Alternatively, inject a malicious username into the pam_usb XML configuration. When 'pamusb-agent' is run, the injected username will be executed as a shell command, leading to remote code execution.

Remediation

Users can update to pam_usb version 0.8.7 or later, where this vulnerability has been fixed. Instructions for updating can be found in the pam_usb repository on GitHub.