On Sat, Jan 17, 2015, at 11:41 PM, Stefan Sperling wrote: > On Sat, Jan 17, 2015 at 10:59:19PM +0100, Daniel Cegiełka wrote: > > http://www.spiegel.de/media/media-35663.pdf > > > > "PANT SPARTY is a backdoor in the SSH daemon for *NIX, based on > > OpenSSH portable" > > They are not talking about the official OpenSSH code. > > To save everyone a bit of time (and hassle with a PDF), from the same > document: > > "It allows a public key to be embedded in the sshd binary and will then > always grant a root login shell if presented with the proper key pair > for that key. [...] authorized_keys as a quick-and-easy method of > persistence [...] obviously isn't very stealthy [...] The goal for this > project was to provide the same level of persistence but embedded in > the sshd binary itself (obviously, assuming root access, as before)" > > In other works, no backdoor in sshd unless the system has already been > rooted by other means and sshd replaced with a bugged binary. Boohoo. >
Stefan correctly mentions that the document specifically talks about the portable version. Some interesting things I found in the document: - it's not a stealthy upstreamed backdoor - just local source modifications that are supposed to be dropped on an already compromised system (like Stefan mentioned) - the code was modified to allow root login regardless of configuration - 'SSH has a _lot_ of checks to make sure you can't switch usernames in the middle of a login (go figure) so this was a bit tricky to bypass'. That's a nice advertisment for the quality of OpenSSH code base :) even with source access the guy had to jump hoops to achieve login switching - '..wanted to allow an arbitrary username to be provided... This led to all sorts of problems where I didn't even get a valid authorization context at all, and I couldn't manually call the C function to get one for root because the connection is a de-privileged child process'. Again a nice advertisment for OpenSSH :) - fake accounts can login, the log will state it failed and hide the fact that ssh authed an authorized key for root It took him 2 days, with full source code access and intrusive checks added to the code in order to disable the internal mitigations in OpenSSH. I seriously doubt a change like that could be upstreamed without anyone noticing :) Regards, -- Adam Wolk adam.w...@koparo.com