New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be more careful about environment variables #29
Comments
For the RANDFILE env var, the login_duo process drops privileges to the sshd privsep user before calling https_init, which is where the getenv and RAND_load_file takes place. Therefore, only files readable by the sshd privsep user could be provided via RANDFILE, which limits the target set of files to only world-readable files on any sane system. And of course, world-readable files are already readable by the user executing the login_duo command. So, an affected system would need to lack a sufficient entropy source to cause RAND_status to fail, there would need to be a sensitive file owned by the privsep user, and you would need some way to derive the data from that file loaded via RAND_load_file. If you can think of any interesting scenarios where it might be feasible (particularly for the latter two conditions), let me know! As for the HTTP_PROXY env var, the HTTP proxy support is limited to simple CONNECT-based proxying. Therefore, you wouldn't be able to MITM the connection to snoop on any data (not that there's much useful data in the request that you wouldn't already have access to with your own user's invocation of login_duo). A custom CA cert can be specified in the configuration file, but if you cannot specify your own configuration file with -c if the setuid bit is present on the login_duo binary. |
Isn't the duo configuration file with the API secrets readable for that user, too? That's what it looks like on my PC (but maybe I just misconfigured Duo):
Some applications do a
I'm not sure about this, but if you have managed to make the contents of a secret file the source of randomness for crypto, maybe you can intercept the connection using the HTTP_PROXY var and derive the secret file's contents from the encryption key of the connection? If the amount of unknown data in the secret file was small enough, you might be able to get the key using brute force... |
Oops, don't mind this one. Of course, the duo config file wouldn't be present in the chroot either, so the helper would probably just fail. |
Ah, of course, you're correct about the config file permissions. :-)
I was thinking along the same lines with the brute force method. I haven't dug into the RAND_* internals to see how it's treating the RANDFILE entropy source, but I imagine there's some determinism there and could be brute forced if the secret data was constrained in size or format. Let's consider the login_duo.conf file as a real-world example, since it's readable by the privsep user. Let's assume that the target login_duo.conf follows the default format/layout/spacing. Let's also assume that the config file only contains the default parameters of ikey/skey/hostname. Additionally, let's assume that the attacker knows the ikey and the hostname. That may not be true in most scenarios, but the ikey/hostname are not meant to be secret, so let's just assume they're available somehow to the attacker. So, the only unknown data would be skey. If a bruteforce vector is at all feasible there, the attacker would need to guess the skey, which is 40 characters of upper/lower alpha and digits and comes out to about 238 bits of entropy. We're entering infeasibility territory now... :-P All that said, even if the attack was successful somehow, extracting the skey doesn't provide any value to the attacker. ;-) The attacker could use it to make authentication requests to the server (eg. initiate push notifications, etc) to cause annoyance to legit users, but there's no security impact. |
Closing out this old issue |
As far as I can see,
login_duo
doesn't clear environment variables before performing HTTPS requests. Have a look at these things inlib/https.c
:and
This means that on systems without
/dev/urandom
, every user can cause duo_unix to read files in the context of the duo helper user and to then send data derived from these files to a user-specified host.The text was updated successfully, but these errors were encountered: