Part 3/12:

By manipulating environment variables, an attacker could deceive the PAM system into believing they are sitting physically at the machine—even if they're not. Specifically, attackers exploit the ordering problem within Open SUSA’s PAM environment module to inject environment variables that falsely indicate physical presence.

For example, an attacker logs into a system via SSH, then creates a specially crafted environment file that sets variables like XDG_SEAT and VTNR_OVERRIDE to simulate local session parameters. When the attacker logs back in, these variables are passed into the session, causing the PAM stack to believe that the user is physically present at the console.