pam_usb Command Injection Vulnerability in Tmux Integration Leading to Root Privilege Escalation

A command injection vulnerability has been identified in pam_usb versions prior to 0.8.7, specifically within the tmux integration. The issue arises in src/tmux.c, where the user's $TMUX environment variable is read, split on commas, and the socket-path component is directly interpolated into a shell command executed by popen(). This interpolation occurs without proper sanitization, allowing any value containing a double quote to terminate the quoted string and inject arbitrary shell commands. The popen() function is executed with root privileges in the PAM stack, creating a significant security risk. Exploitation of this vulnerability allows local users to bypass USB authentication and gain unauthorized root access.

Impact

Exploitation of this vulnerability provides local users with an unconditional root shell, bypassing the need for the registered USB device. The vulnerability can be exploited before the 'env_reset' feature of sudo takes effect, allowing for immediate access to root privileges.

Reproduction

To reproduce this vulnerability, set the $TMUX environment variable with a crafted socket path that includes a double quote. This can be done by exporting the TMUX variable with a value that contains a quote, followed by a command to copy a privileged shell to a location accessible to the user, such as /tmp/rootsh. Once the TMUX variable is set, executing a command that invokes sudo or su will trigger the vulnerability, as the PAM stack processes the popen() call with the injected command, resulting in a root shell being written to the specified location.

Remediation

Users can update to pam_usb version 0.8.7 or later, where this vulnerability has been fixed. The updated version validates the $TMUX socket path and client ID to reject values containing shell metacharacters before constructing commands. Additionally, the 'w' command is now executed via its full path to prevent similar injection issues.