PAM_OATH Flaw Grants Root Access

In a recent security issue with the PAM_oath PAM module, part of the oath-toolkit package, a vulnerability (CVE-2024-47191) was identified, allowing unauthorized users to gain ROOT access in the system.

The PAM_oath module, which operates with ROOT rights, was originally designed to post OATH keys in the /etc/users.oath file, accessible only to the Root user. However, in version 2.6.7 of the Oath-TOOLKIT, support was added for file layout from the CHAMI key in Users’ home directories (~/.config/users.oath), allowing unprivileged users to modify files with their keys. Despite this, Pam_oath did not drop privileges when accessing these files, leading to unsafe handling of files meant to be unchangeable.

The vulnerability stemmed from the rewriting operation performed by Pam_oath after each successful one-time password authentication, aimed at preventing the reuse of the same password. This operation involved creating a Lock file, recording new contents to a file labeled “New”, and then replacing the old file with the new version. It also created a “.NW” file with the same rights as the target file but written by ROOT without proper file existence validation.

An attack leveraging this vulnerability was made easy with the ability to create symbolic links to files like “~/.config/oath.secrets.new”, leading to potential overwriting of system files post-authentication. For instance, by directing a symbolic link to the /etc/Shadow file, an attacker could gain ROOT access to modify account entry parameters.

The vulnerability was present from the release of OATH-TOOLKIT 2.6.7 but has since been addressed in version 2.6.12, with updates and fixes implemented (1,

/Reports, release notes, official announcements.