(Ab)Using Security Tools & Controls for the Bad
As security practitioners, we give daily advice to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this function, etc. When enabled, these techniques can also be (ab)used by attackers to perform nasty actions.
PAM or Pluggable Authentication Modules[1] is an old authentication system that is around since 1997! It allows you to extend the authentication capabilities of a system to interconnect with third-party systems. PAM is available on all Linux flavors and used, amongst plenty of others, by the SSH daemon. By default, SSH allows you to authenticate via credentials or a key but they are plenty of other ways to authenticate a user. Via a centralized DB (LDAP, RADIUS, Kerberos) against proprietary databases and much more. It can also be used to raise the security level by implementing MFA (“Multi-Factor Authentication”). In 2009(!), I already wrote a blog post to explain how to use a Yubikey as a second factor via PAM[2].
By reading this, you can imagine that the PAM sub-system, being part of the authentication, has access to a lot of sensitive information! Here is an example of credentials leaking technique that I found in the wild recently and it’s pretty easy to implement. In many organizations, bastion hosts are used to provide access to internal resources to admins, consultants, etc. They are used to “pivot” inside the network.
If a bastion host is compromised (or a server or an admin end-point), some nasty PAM modules can be installed to automatically collect credentials. One of these modules is called “pam_steal”[3]. This module has only 40 lines of code and, once the attacker installed this plugin, it will collect and dump credentials into a flat-file. This will then be collected by the attacker. No need to sniff, to decrypt data!
When dropped on the victim’s computer, the malicious module is just enabled by adding it to the /etc/pam.d/common-auth file. To protect against this kind of attack, a good idea is to use a FIM[4] (“File Integrity Monitor”) to detect changes performed in sensitive files like in /etc/pam.d.
[1] https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
[2] https://blog.rootshell.be/2009/03/27/yubikey-authentication-on-linux/
[3] https://github.com/ONsec-Lab/scripts/tree/master/pam_steal
[4] https://isc.sans.edu/forums/diary/What+to+watch+with+your+FIM/20897
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago