Mcdope

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.0 **Description** In `src/mem.c`, out-of-memory guards for the functions `xmalloc()`, `xrealloc()`, and `xstrdup()` were implemented using `assert(data != NULL)`. Because `assert()` expressions are compiled out when `NDEBUG` is defined during build time—a common practice in release and packaging builds for Debian, Fedora, and Arch—these guards are removed in such versions. Consequently, these functions return NULL upon allocation failure, which is then dereferenced without a check, leading to a NULL pointer dereference and a crash of the PAM module. This creates a local denial-of-service condition where an attacker inducing memory pressure during authentication can lock all users out of `sudo` and `login`. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.0 **Description** The `pusb pad compare()` function in src/pad.c only verifies that the user-side pad (~/.pamusb/device.pad) is readable, without ensuring the system-side pad on the USB device is present and readable. If the user-side pad is deleted or unreadable, the function returns a failure that some code paths treat as non-fatal, allowing authentication to succeed without verifying the USB device. Consequently, a local user can delete their own `~/.pamusb/device.pad` to bypass the physical USB device requirement. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.0 **Description** pam usb provides hardware authentication for Linux using removable media. The software builds XPath expressions to query `/etc/pamusb.conf` using identifiers supplied by the user (PAM username, service name) and the device (USB device serial, model, vendor). Because these identifiers are not validated for XPath metacharacters, it is possible to inject arbitrary XPath predicates. XPath injection is a technique where an attacker inserts malicious code into an XPath query to manipulate the data returned by the application. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.0 **Description** Multiple helper tools in pam usb resolve external binaries using the `PATH` environment variable instead of absolute paths. An attacker capable of influencing the process environment during PAM authentication or tool execution could substitute legitimate binaries with malicious ones. The affected tools include `pamusb-check` (src/tmux.c), `pamusb-conf` (tools/pamusb-conf), and `pamusb-keyring-unlock-gnome` (tools/pamusb-keyring-unlock-gnome). **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.1 **Description** When a PAM service is configured with `deny remote=false`, the `PAM RHOST` check within the `pusb do auth()` function is skipped. `PAM RHOST` is a variable used by remote daemons, such as sshd or XDMCP servers, to identify the address of a remote client. Because this check is gated by the `deny remote` option, remote XDMCP connections can reach the USB device authentication stage instead of being rejected. **Recommendations** Update to version 0.9.1.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.1 **Description** In the `src/conf.c` file, heap memory is allocated proportional to `n devices`, a count derived from libxml2 XPath evaluation of the configuration file, without enforcing an upper bound. On 32-bit targets such as armv7l and i686, the multiplication of `n devices` by `sizeof(t pusb device)` can wrap around `size t`, resulting in `xmalloc()` receiving a very small size. Since `xmalloc()` only triggers an abort on a NULL return, a small-but-non-NULL allocation is accepted, leading to a heap-based buffer overflow during subsequent array writes. **Recommendations** Update to version 0.9.1.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.1 **Description** In `src/log.c`, a process-wide static pointer is written with the address of a stack-local variable during every PAM invocation. This behavior violates the PAM re-entrancy requirement—the ability of a function to be interrupted and safely called again before its previous invocation has finished—resulting in a data race when the PAM stack is invoked concurrently from multiple threads. **Recommendations** Update to version 0.9.1.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.1 **Description** In the `src/evdev.c` file, the `pusb has virtual input device()` function silently ignores EACCES errors when opening `/dev/input/event*` nodes. This behavior causes the function to return 0, indicating no virtual devices were found, even if all `open()` calls failed due to insufficient permissions. Consequently, the caller in `src/local.c` cannot differentiate between a genuine absence of virtual devices and a scan blocked by permission denials, leading the system to continue authentication without denying access. This effectively disables remote desktop detection during non-root execution. **Recommendations** Update to version 0.9.1.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.8.7 **Description** pam usb provides hardware authentication for Linux using removable media. The `pamusb-pinentry` component reads the `PINENTRY FALLBACK APP` environment variable and executes it without validation. A process capable of setting environment variables before `pamusb-pinentry` is invoked can point `PINENTRY FALLBACK APP` to an arbitrary binary or script, leading to execution with the privileges of the pam usb tool chain. **Recommendations** Update to version 0.8.7.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.8.7 **Description** In `src/device.c`, the return values of the functions `udisks drive get serial()`, `udisks drive get vendor()`, and `udisks drive get model()` are passed directly to `strcmp()` without NULL checks. According to GIO/UDisks API documentation, these accessors can return NULL for devices that do not expose the corresponding field. Passing a NULL pointer to `strcmp()` results in undefined behavior, typically leading to a SIGSEGV (segmentation fault), which causes a PAM crash and a login denial-of-service. **Recommendations** Update to version 0.8.7.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.8.7 **Description** pam usb provides hardware authentication for Linux using ordinary removable media. Symlink attacks on the pad directory and pad files allow for authentication bypass and corruption of root files. **Recommendations** Update to version 0.8.7.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.8.7 **Description** An issue exists in the hardware authentication system for Linux where shell injection can occur. A crafted UUID in the configuration can lead to root remote code execution when the `pamusb-conf --reset-pads` command is executed. This payload can be injected during the `--add-device` process via a USB device with a crafted filesystem UUID. Additionally, the `userName` variable from the XML configuration is passed to the `os.system()` function in `pamusb-agent`, which invokes a shell. **Recommendations** Update to version 0.8.7.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.8.7 **Description** In the `src/tmux.c` file, the software reads the `$TMUX` environment variable, splits it by commas, and interpolates the socket-path component directly into a shell command executed via the `popen()` function. Since the value is placed within double-quotes without proper sanitization, an attacker can use a double-quote character to terminate the string and inject arbitrary shell syntax. This process executes with root privileges within the PAM stack, potentially leading to remote code execution. **Recommendations** Update to version 0.8.7.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.0 **Description** The `deny remote` feature incorrectly classifies IPv4-mapped IPv6 remote connections as local sessions. This occurs because the system checks the `ut addr v6` field of `utmpx` using a guard `if (utent->ut addr v6[0] != 0)`, which only validates the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in `ut addr v6[3]` while `ut addr v6[0]` remains 0. On systems where the SSH daemon listens on the IPv6 wildcard (::) with AddressFamily any, such as common Ubuntu and Debian configurations, incoming IPv4 connections are recorded as IPv4-mapped IPv6 addresses. Consequently, the remote-detection block is skipped, and the session is treated as local, allowing the `deny remote=true` setting to be bypassed. An attacker with physical access to a registered USB device can authenticate over SSH as if they were at a local terminal. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** pam usb versions prior to 0.9.0 **Description** This issue occurs in the `deny remote` feature of the PAM module, which is loaded into host processes such as sudo, login, GDM, and GNOME Shell. In multi-threaded environments like GDM, three functions utilize the non-reentrant `strtok()` function. Because `strtok()` stores state in a single global pointer, concurrent authentication threads can race, allowing one thread to overwrite another's tokenization pointer. This leads to incorrect parsing of `/proc` environment scans or tmux session data used for remote-session detection. Furthermore, the `pusb tmux get client tty()` function passes a raw pointer from `getenv(TMUX)` directly to `strtok()`. Since `strtok()` inserts NUL bytes into the live process environment block, the `TMUX` variable is permanently corrupted for all subsequent code in that process. Consequently, when `deny remote=true` is set, the system may make incorrect authentication decisions for either remote or local sessions depending on thread interleaving. **Recommendations** Update to version 0.9.0.