X41 D-Sec GmbH Security Advisory X41-2018-003: Multiple- Vulnerabilities in pam_pkcs11

From: X41 D-Sec GmbH Advisories <advisories@x41-dsec.de>
To: bugtraq@securityfocus.com,oss-security@lists.openwall.com,fulldisclosure@seclists.org
Cc:
Subject: X41 D-Sec GmbH Security Advisory X41-2018-003: Multiple- Vulnerabilities in pam_pkcs11
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-003

Multiple Vulnerabilities in pam_pkcs11
======================================


Overview
- --------
Confirmed Affected Versions: 0.6.9
Confirmed Patched Versions: -
Vendor: Unmaintained
Vendor URL: https://github.com/OpenSC/pampkcs11
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-003-pampkcs11/


Summary and Impact
- ------------------
It is possible to replay an authentication by using a specially
prepared smartcard or token in case pam-pkcs11 is compiled with NSS
support. Furthermore two minor implementation issues have been identified.
X41 did not perform a full test or audit on the software.


Product Description
- -------------------
This Linux-PAM login module allows a X.509 certificate based user
login. The certificate and its dedicated private key are thereby
accessed by means of an appropriate PKCS #11 module. For the
verification of the users' certificates, locally stored CA
certificates as well as either online or locally accessible CRLs are
used.

Authentication Replay
=====================
Severity Rating: High
Vector: Login attempt at compromised machine
CVE: -
CWE: 125
CVSS Score: 7.0 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N


Summary and Impact
- ------------------
A replay attack is possible due to a logic bug in file pampkcs11.c. In
function `pamsmauthenticate()a nonce is generated and signed with the
card to verify that the card holds the matching secret key, if a valid
certifiate is found. This is done using the functiongetrandomvalue(),
which in turn callsPK11GenerateRandom()`, which queries the smartcard
for random data.
This allows for a replay attack with a malicious smartcard. If a user
plugins in his card into a compromised computer, the nonce and answer
can be recorded by an attacker. The attacker then modifies a smartcard
or a smartcard emulator to replay with the exact same nonce and signed
data, which allows the attacker to login to another computer without
having further access to the smartcard.


Workarounds
- -----------
Switch to pam_p11.

Buffer Overflow
===============
Severity Rating: Low
Vector: Overly long user home directory
CVE: -
CWE: 121
CVSS Score: -
CVSS Vector: -


Summary and Impact
- ------------------
In file opensshmapper.c a stack based buffer overflow is possible if a
user has a home directory with a length of more than 512 bytes. This
allows to overwrite the passwd structure and possibly the return
address in `opensshmappermatchuser()`;

{% highlight c %}
opensshmapper.c
static int opensshmappermatchuser(X509 *x509, const char *user, void
*context) {
        struct passwd *pw;
        char filename[512];
        if (!x509) return -1;
        if (!user) return -1;
        pw = getpwnam(user);
        if (!pw || isemptystr(pw->pwdir) ) {
            DBG1("User '%s' has no home directory",user);
            return -1;
        }
        sprintf(filename,"%s/.ssh/authorizedkeys",pw->pwdir);
        return opensshmappermatchkeys(x509,filename);
}
{% endhighlight %}


Workarounds
- -----------
Switch to pam_p11.

Memory not cleaned properly before free()
=========================================
Severity Rating: Low
Vector: -
CVE: -
CWE: 244
CVSS Score: -
CVSS Vector: -
_

Summary and Impact
- ------------------
In several places memory is set to zero using memset() and passed on
to free() afterwards. This is a pattern which modern compilers
optimize away, which renders the call to memset() useless. This causes
sensitive data such as passwords to remain in the memory, which
defeats the original intention of the code.

{% highlight c %}
   memset(password, 0, strlen(password));
   free(password);
{% endhighlight %}


Workarounds
- -----------
Switch to pam_p11.

Timeline
========
2018-02-03 Issues found
2018-04-18 Vendor contacted
2018-04-18 Vendor reply
2018-05-18 Technical details provided
2018-05-24 Private git branch created, issues fixed
2018-08-08 Patched version released at
https://github.com/x41sec/pam_pkcs11
2018-08-11 Advisory released
- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschftsfhrer: Markus Vervier
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3K4ACgkQo5Klpg50
CxDfHhAAiANUMfz5YSGvQS8HJYcAwiDwL5Z6TRJEKg4RRS94hehzpDCHaVaABsnB
6BtRCx6Jp8hDs9Iz36y+E8txg349OSUyrRSL9RQ6/G7MrLOJ0kOxijkAWbvJg/nD
elgsGa65DKWwqHvc5AsRXxWZFtyNs6CTWGyfJJvyC3cpHM0E0jru5xjuwklm1YAG
DOcqadZav2FPzKJz5tYsDa42aAWYyjE2MMXzkY7kT3aQ2G70DhN2mJqnnmsmMFcH
GZaZO+4SaWq97SNVzzvKXk9m0T8S2HmumAF8g9mGLuCTfBVsbi4DmGyb9mvZOK2S
djwBCHf0rRqXP83hszwHD/zQoW796r7tj9PGmKmvRoDeX76aGuLgQoZ55zged9R1
QkPiD89w+7YANMHumsfLXgXRdhxWaObFvtJWtFCd+v0iS5r249zYukJXn89lnY4p
1x3eBPOzYfSvdHBV0d8/l8uiqZGM9mN55Y4AvkOQYc2EZf78Hb7m150K+qtmh3vE
nueVLB2ob6LKLewY+DbhglnExY3jy0sg0jTsvmA16fb1xWvuA6F7NsdT/8s/wPij
SwM8KDdQfZo7n8RVt+C0saZUP5OeE/Pgvk3vfXefUZgKSI2ZhbPiCxmlPmh1Jd0Z
9hjUcKQHglKdDN9M5Ub0qIpDdi+KHQfdZZkMLJsWwQtAVqjCFQo=
=IaN0
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.