Pluggable Authentication Modules

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plaintext since PAM does not store passwords.

Setting up and configuring the PAM file is quite difficult as it should be matching the version from the distribution you are trying to replace and modify the verify users password functionality

If we can copy the OS distribution that we are trying to gain a backdoor into, it should be easy to grab the version of PAM that we need to work with by setting up a similar Virtual Machine to the original target, first will grab the PAM file

See above that the files need are decompressed automatically, now we will locate the pam_unix_auth.c file and we will locate this part of the code

This is where it verifiers the users password as mentioned in the comment, a simple modification on this file is by giving it a HARDOCDED string to compare it to, that way all functionality works but if this string is found in ANY password from ANY user it is taken as valid

So, the modified version should be something like the following where it verifies a string, other functions can be placed but here we are working with the Password

Once all is set and done, we can compile the project and replace the pam_unix.so file to the targeted one and if anyone is trying to login it will still work but now everyone has a master password

A small demonstration where a master password is used for any user

PreviousT1556: Modify Authentication Process NextT1653: Power Settingss

Last updated 1 month ago