Page MenuHomedesp's stash
Files F374806

ritsec22.md
No OneTemporary
Actions

ritsec22.md
View Options

### ssh backdoor
as name suggests, its a backdoor planted into the sshd binary itself
i first tried to see how close it might be with any ol sshd, but the one i referenced seemed very different from the one they modified
so i grabbed the version string from the modified sshd, and it turns out its `OpenSSH 8.4p1, Ubuntu-5ubuntu2`
so i just went on https://launchpad.net/ubuntu/+source/openssh/1:8.4p1-5ubuntu2 to grab the deb and compared and it actually looks quite the same on IDA's top bar
(i wonder what the 5ubuntu2 version changed that much from coz the one i referenced looks to e another implementation of OpenSSH 8.4p1 too albeit not ubuntu's)
since its pretty much identical i thought why not run bindiff on it that i tried to use to compare mai versions with anyway
and ey it shows up as 99.5% match with only 10 functions not matching as expected
so i clicked open the largest function that doesnt match and ey it looks like a backdoor indeed
i xref'd back to the parent function, extracted the part that changed and looked at how it works
[@kevin](https://maplebacon.org/authors/Kevin/) was looking at sources for openssh so i went to check out `auth-passwd.c` too
and eventually i figured out it looks like its just comparing whatever the function generated to our provided password and if it matches it returns 1 no matter what
so i proposed why not try to breakpoint right at the comparison and get the string `VEGA INTERNATIONAL NIGHT SCHOOL` we are supposed to enter as password
and after a while [@kevin](https://maplebacon.org/authors/Kevin/) got the flag through gdb attaching and modifying his own system sshd ey `RS{psych1c_ch45m5_4w41t_y0u}`

File Metadata

Mime Type
text/plain
Expires
Mon, Aug 4, 9:28 PM (17 h, 37 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
d4/02/4eb0b94c01976576a26246d080f0

Event Timeline

Back to Main Site