Oddbean new post about | logout
 oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)

The SUSE Security Team Blog has a <a href="https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html" rel="nofollow">detailed
report</a> on its discovery of https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191/
 in the
https://gitlab.com/oath-toolkit/oath-toolkit
,
which provides libraries and utilities for managing one-time password
(OTP) authentication.


Fellow SUSE engineer Fabian Vogt approached our Security Team about
the project's PAM module. A couple of years ago, the module gained a
feature which allows to place the OTP state file (called usersfile) in
the home directory of the to-be-authenticated user. Fabian noticed
that the PAM module performs unsafe file operations in users' home
directories. Since PAM stacks typically run as root, this can easily
cause security issues.



https://lwn.net/Articles/992948/