1 / 16

Shared Library Shimming for Password Harvesting

This presentation by Rodney Thayer explores the technique of shared library shimming through a tool called Slimjim. Slimjim targets Pluggable Authentication Modules (PAM) to intercept data, specifically passwords, during authentication processes in systems like OpenSSH. The talk covers the implementation of Slimjim, a demonstration of its capabilities, and discusses the vulnerabilities present in PAM's use of shared libraries. Aimed at academic research, the presentation highlights the importance of security measures in library loading practices to mitigate such risks.

kenny
Télécharger la présentation

Shared Library Shimming for Password Harvesting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shared Library Shimming for Password Harvesting Rodney Thayer rodney@shmoo.com

  2. Introduction • ‘Slimjim’ – a shared library shim • PAM – Pluggable Authentication Modules • Shared Library shimming • The vulnerability • The Slimjim code • Demonstration • Conclusions www.shmoo.com/rodney/slimjim.ppt

  3. Disclaimer • We’re not suggesting you do anything bad with this. • This is for academic research purposes only. www.shmoo.com/rodney/slimjim.ppt

  4. ‘Slimjim’ – a shared library shim • Takes advantage of shared library technology • Used to intercept data flowing to PAM • Can be applied to OpenSSH + PAM • Extracts passwords www.shmoo.com/rodney/slimjim.ppt

  5. Shared Library Plumbing Conventional SSH+PAM configuration OpenSSH PAM www.shmoo.com/rodney/slimjim.ppt

  6. Shared Library Plumbing Exploited SSH+PAM configuration OpenSSH Slimjim PAM Slimjim captures function calls across Shared Library interface www.shmoo.com/rodney/slimjim.ppt

  7. PAM • Pluggable Authentication Modules • Uses shared libraries to implement access control • Supports password access and other mechanisms • Used by many components, including OpenSSH, ‘su’, ‘telnet’, login, … www.shmoo.com/rodney/slimjim.ppt

  8. Shared Library Shimming Shared Library Public function Well known public functions published by shared library, so interfaces are known Public function Public function www.shmoo.com/rodney/slimjim.ppt

  9. Shimming a shared library • Write a new shared library • Publish the same interfaces by name • At initialization, call the old library • ‘sift’ the data as it passes through • Since the interfaces are the same, theusing program won’t know www.shmoo.com/rodney/slimjim.ppt

  10. The Vulnerability • PAM provides password authentication • PAM uses shared libraries • OpenSSH on Linux uses PAM • OpenSSH doesn’t know which ‘PAM’ it’s using • No security on library loading. www.shmoo.com/rodney/slimjim.ppt

  11. Slimjim Implementation • Source code at http://www.shmoo.com/rodney/slimjim.tgz • Tested with Red Hat 9,OpenSSH 3.6p1,PAM www.shmoo.com/rodney/slimjim.ppt

  12. The Slimjim code • One file, slimjim.c • Publishes standard PAM entry points: pam_authenticate, pam_start, pam_get_user, ... • Note it implements the ‘conversation’ function www.shmoo.com/rodney/slimjim.ppt

  13. PAM Password Exploit • PAM uses a ‘conversation’ function to pass the username and password from the user to PAM • The data passes across the public shared library interface • Therefore, slimjim sees the password, in the clear www.shmoo.com/rodney/slimjim.ppt

  14. Demonstration • OpenSSH on Port 8022 • Shimmed PAM • Red Hat 9 www.shmoo.com/rodney/slimjim.ppt

  15. Conclusions • Is this a realistic problem? Yes. Attackers can drop files on a system, as ‘root’ • How do you prevent this? Usestaticlibraries • Are shared libraries a good idea? Maybenot. • Implement digitally signed shared library loading? www.shmoo.com/rodney/slimjim.ppt

  16. Thank You! Rodney Thayer rodney@shmoo.com http://www.shmoo.com/rodney/slimjim.html www.shmoo.com/rodney/slimjim.ppt

More Related