pam_usb Uncontrolled Search Path Vulnerability in Helper Tools Allowing Privilege Escalation

A vulnerability in pam_usb helper tools prior to version 0.9.0 allows for privilege escalation through uncontrolled search paths. The affected tools, pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resolved external binaries via the PATH environment variable instead of using absolute paths. This flaw could be exploited by an attacker who can manipulate the process environment during PAM authentication or tool execution, potentially leading to the execution of malicious binaries.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation by allowing an attacker to execute arbitrary binaries with elevated rights, particularly through the pamusb-conf tool, which is typically run with such privileges.

Reproduction

The vulnerability can be reproduced by influencing the PATH environment variable during the execution of the affected pam_usb tools. For instance, when pamusb-conf is run, the tool can be made to invoke findmnt without an absolute path, creating an opportunity for PATH hijacking. Similarly, the pamusb-keyring-unlock-gnome tool can be exploited by manipulating the PATH to redirect calls to gnome-keyring-daemon or other resolved binaries.

Remediation

Users should update to pam_usb version 0.9.0 or later, where this vulnerability has been fixed by ensuring all external binary invocations use absolute paths. Additionally, the keyring password file is now read as data rather than sourced as shell code, and the password is passed to gnome-keyring-daemon via stdin, avoiding exposure in the process list.