Linux vuln: PAM backdoors

[pyukey]

Difficulty: 6/10

PAM (Plugable Authentication Modules) handles authentication in Linux. It is very confusing, very painful, and there are plenty of ways it can be backdoored. Here is an introductory video and here is detailed documentation. Lastly here are my notes explaining PAM.

Resources

These are several existing ways PAM has been backdoored, which you can take inspiration from:

• https://github.com/segmentati0nf4ult/linux-pam-backdoor/tree/master
• https://github.com/calebstewart/pam_sneaky
• https://github.com/flashnuke/ssh-door
• https://github.com/KjuliaPoot/PAMinant

Vulnerabilities

There are plenty of ways PAM can be messed with. The goal of this feature request is to implement as many of them as possible (have a working install and a working checker). Some things include:

• Replacing pam_deny with pam_permit in the /etc/pam.d config files
  • There are other, more nuanced configuration changes that could be made, but I do not know them
• Replacing the .so binaries in /lib/x86_64-linux-gnu/security/.
  • Could be replacing the pam_deny.so with pam_permit.so
  • Could be modifying pam_unix.so to contain a backdoored password

How to resolve this issue

You can create a fork of the repo, add the desired vulns, and then submit a pull request. Resources explaining how to add vulnerabilities are present in our documentation, slides, and video