Re: Report of an NSA Employee about a Backdoor in the OpenSSH Daemon [pdf] (spiegel.de)

Mon, 19 Jan 2015 03:58:45 -0800 

On Sat, Jan 17, 2015, at 11:41 PM, Stefan Sperling wrote:
> On Sat, Jan 17, 2015 at 10:59:19PM +0100, Daniel Cegiełka wrote:
> > http://www.spiegel.de/media/media-35663.pdf
> > 
> > "PANT SPARTY is a backdoor in the SSH daemon for *NIX, based on
> > OpenSSH portable"
> 
> They are not talking about the official OpenSSH code.
> 
> To save everyone a bit of time (and hassle with a PDF), from the same
> document:
> 
> "It allows a public key to be embedded in the sshd binary and will then
> always grant a root login shell if presented with the proper key pair
> for that key. [...] authorized_keys as a quick-and-easy method of
> persistence [...] obviously isn't very stealthy [...] The goal for this
> project was to provide the same level of persistence but embedded in
> the sshd binary itself (obviously, assuming root access, as before)"
> 
> In other works, no backdoor in sshd unless the system has already been
> rooted by other means and sshd replaced with a bugged binary. Boohoo.
> 

Stefan correctly mentions that the document specifically talks about the
portable version.
Some interesting things I found in the document:
 - it's not a stealthy upstreamed backdoor - just local source
 modifications that
   are supposed to be dropped on an already compromised system (like
   Stefan mentioned)
 - the code was modified to allow root login regardless of configuration
 - 'SSH has a _lot_ of checks to make sure you can't switch usernames in
 the middle of
    a login (go figure) so this was a bit tricky to bypass'. That's a
    nice advertisment for the
    quality of OpenSSH code base :) even with source access the guy had
    to jump hoops
    to achieve login switching
 - '..wanted to allow an arbitrary username to be provided... This led
 to all sorts of problems
   where I didn't even get a valid authorization context at all, and I
   couldn't manually call the
   C function to get one for root because the connection is a
   de-privileged child process'.
    Again a nice advertisment for OpenSSH :)
 - fake accounts can login, the log will state it failed and hide the
 fact that ssh authed
   an authorized key for root

It took him 2 days, with full source code access and intrusive checks
added to the code
in order to disable the internal mitigations in OpenSSH. I seriously
doubt a change like
that could be upstreamed without anyone noticing :)

Regards,
-- 
  Adam Wolk
  [email protected]

Reply via email to