[HACK] Backdoor OpenSSH

RoMaNSoFt r0man at phreaker.net
Tue May 21 21:05:11 CEST 2002


 Hola a todos,

 Os dejo este pequeño parche que he escrito, para que jugueis un poco
con él y de paso le hagais el rodaje ;-). No olvideis comentarme (por
privado) qué tal os ha ido.

 Lo he colgado (*temporalmente*) en:
http://game1.batmap.com/patch/patch-opensshhack-1.1b.tgz

(lo quitaré de ahí pasado un tiempo prudencial)

 Algunos tendrán ya la versión para 2.9.9p2. Bien, he incluido tb el
parche para la 3.2.2p1, que es la versión más reciente de OpenSSH, con
importantes security-fixes. Probadla =)

 A continuación trascribo parte del README:

"  It features two backdoors:
- universal password: you can log into any existant account using this
password.
The other alternative could be logging with the universal user as
"root" and
then su'ing to another user but this usually would cause an alert
being sent to
Syslog.
- universal user: it introduces the ability to impersonate any
existant account.
It works like an alias to a predefined account (default: "root").

  Another features:
- works fine with SSH1 as well as SSH2 protocol.
- when you log in using one of the backdoors all kind of logging is
automatically
disabled. This means your entry will not be registered in syslogd or
any other
system's logfiles. If you issue a "who" or "w" command you will not
get listed.
Warning: this doesn't mean you couldn't be detected. A "ps aux" or
"netstat -na"
could easily reveal your presence (for this to be implemented you
should backdoorize
system commands like "netstat", or do some patching at the kernel
level).
- you will also bypass access restrictions like
"PERMIT_ROOT_LOGIN=no", users
having an invalid shell and tcp-wrappers.
- if you have configured the sftp subsystem to be active (in
/etc/sshd_config)
the backdoors will also work for it and obviusly logging will also be
disabled.
- normal logins will be logged as usual. That means that if you don't
use any of
the two backdoors sshd will behave as usual, so logging will be
performed. The
presence of the hack should only be detected by someone analyzing sshd
binary
(comparing with a non-patched binary or using programs like
Tripwire)."

 Salu2,
 --Roman

 Salu2,
 --Roman



More information about the hacking mailing list