Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20241018014642.GA23101@openwall.com>
Date: Fri, 18 Oct 2024 03:46:42 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so

On Thu, Oct 17, 2024 at 10:28:41AM +0200, Matthias Gerstner wrote:
> - setgroups() is invoked to drop supplementary group membership.

Looks good to me.

> - the usersfile is checked for additional hard-links; if the link count
>   is larger than one, then the file is rejected. This prevents possible
>   hard link attacks on the end of the unprivileged user.

There's a subtle issue here - another user's (or root's) temporary file
may be hard-linked and st_nlink may be back to 1 after the file is
unlinked by its original creator/user.  For example, tmpfile(3) unlinks
the file right away, yet the calling program is expected to proceed to
use it.  In that case, an attacker winning the race could manipulate
content of another user's temporary file, which that user's program
could then read back and use.

>   With the Linux
>   kernel sysctl protected_hardlinks set to 1 (the usual default on most
>   distributions), this attack will not work either way.

Right.

> In our case it is only a check of st_nlink. This is because we are
> dropping privileges to the owner of the file. If one would drop
> privileges to the to-be-authenticated user, then a check of st_uid would
> be in order as well.

Right.  It appears that given your decision to allow any file owner, you
cannot fully prevent hard link attacks without protected_hardlinks.

> - O_NOCTTY has been added to the open() call of the usersfile. This
>   makes this aspect explicit, although the code already checks that the
>   file is a regular file, so the situation shouldn't arise in the first
>   place.

Oh, I had thought you'd only be able to reliably post-check for regular
file, which would be too late against side-effects on open().  However,
now I realize that you first open with O_PATH, which presumably avoids
side-effects(*), then check fstat(), and only then if everything looks
good you reopen via /proc/self/fd/fd for actual usage.  That's quite a
hack, but yes, O_NOCTTY on reopen should be redundant.

(*) The man page says "Opening a file or directory with the O_PATH flag
requires no permissions on the object itself", so we'd have bigger
problems regardless of your usage if there were side-effects.

> The reason why we accept different ownership of the file is for
> increased backward compatibility. The usersfile feature in pam-oath
> allows for potentially complex scenarios regarding to the ownership of
> the file and it was not previously clearly specified which scenarios are
> supported. When only supporting the simple scenario of the usersfile
> being located directly beneath the to-be-authenticated user's home
> directory, then a lot of things become simpler, as it has been done
> in the upstream approach in a couple of aspects.

OK, this makes sense.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.