A vulnerability (CVE-2024-47191) has been identified in the pam_oath PAM module, which is part of the oath-toolkit package and is used for two-factor authentication using one-time passwords (OTP), which allows an unprivileged user to gain root access in the system.
The pam_oath module is executed with root privileges and was originally designed to place OATH keys in the /etc/users.oath file, which can only be accessed by the root user. In oath-toolkit 2.6.7, support was added for placing key files in users' home directories (~/.config/users.oath). Unprivileged users were able to modify files with their keys, but pam_oath did not reset their privileges when accessing these files and continued to use insecure methods of working with files, designed to place files in a directory that could not be modified.
The vulnerability is caused by the fact that after each successful one-time password authentication, the pam_oath overwrote the key file to prevent the same password from being used multiple times. The overwrite operation was to create a lock file in the same directory, write the new content to a file with the ".new" extension, and replace the old file with the new version. In this case, a file with the ".new" extension was created with the same rights as the target file, but it was written to it by a process with root rights and without checking the existence of the file.
If the file was placed in the system directory, there were no problems, but after support for placing files with keys in home directories, an easily exploitable vulnerability occurred. To attack, it is enough to create a symbolic link "~/.config/oath.secrets.new" and direct it to any system file, which will be overwritten after successful authentication.
To gain root access, you can send a symbolic link to the /etc/shadow file. In this case, pam_oath will write an up-to-date list of keys to /etc/shadow and synchronize the owner and permissions with the users.oath file. Since the users.oath file is owned by the user, this user will be set as the owner of /etc/shadow, after which the attacker will be able to edit the /etc/shadow file and write the new login settings for the root account.
The vulnerability affects oath-toolkit 2.6.7 and is fixed in 2.6.12. The vulnerability affects only configurations that allow the placement of key files in home directories, for example, when using the string "auth [user_unknown=ignore success=ok] pam_oath.so usersfile=${HOME}/user.oath" in PAM settings.
In addition, we can mention the recently identified vulnerability (CVE-2024-9313) in the PAM module from the Authd package developed by the Ubuntu project. The vulnerability could allow a user controlled through an Authd broker to impersonate any other user controlled by the same broker and successfully authenticate via su, sudo, or ssh under another user. This issue was fixed in Authd 0.3.5.
The pam_oath module is executed with root privileges and was originally designed to place OATH keys in the /etc/users.oath file, which can only be accessed by the root user. In oath-toolkit 2.6.7, support was added for placing key files in users' home directories (~/.config/users.oath). Unprivileged users were able to modify files with their keys, but pam_oath did not reset their privileges when accessing these files and continued to use insecure methods of working with files, designed to place files in a directory that could not be modified.
The vulnerability is caused by the fact that after each successful one-time password authentication, the pam_oath overwrote the key file to prevent the same password from being used multiple times. The overwrite operation was to create a lock file in the same directory, write the new content to a file with the ".new" extension, and replace the old file with the new version. In this case, a file with the ".new" extension was created with the same rights as the target file, but it was written to it by a process with root rights and without checking the existence of the file.
If the file was placed in the system directory, there were no problems, but after support for placing files with keys in home directories, an easily exploitable vulnerability occurred. To attack, it is enough to create a symbolic link "~/.config/oath.secrets.new" and direct it to any system file, which will be overwritten after successful authentication.
To gain root access, you can send a symbolic link to the /etc/shadow file. In this case, pam_oath will write an up-to-date list of keys to /etc/shadow and synchronize the owner and permissions with the users.oath file. Since the users.oath file is owned by the user, this user will be set as the owner of /etc/shadow, after which the attacker will be able to edit the /etc/shadow file and write the new login settings for the root account.
The vulnerability affects oath-toolkit 2.6.7 and is fixed in 2.6.12. The vulnerability affects only configurations that allow the placement of key files in home directories, for example, when using the string "auth [user_unknown=ignore success=ok] pam_oath.so usersfile=${HOME}/user.oath" in PAM settings.
In addition, we can mention the recently identified vulnerability (CVE-2024-9313) in the PAM module from the Authd package developed by the Ubuntu project. The vulnerability could allow a user controlled through an Authd broker to impersonate any other user controlled by the same broker and successfully authenticate via su, sudo, or ssh under another user. This issue was fixed in Authd 0.3.5.
