"The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH. Allegedly this would remain persistent on Linux systems (x86_64)."
"PamDOORa is the second Linux backdoor targeting the PAM stack after Plague. PAM is a security framework in Unix/Linux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications."
"Because PAM modules typically run with root privileges, a compromised, misconfigured, or malicious module can introduce significant security risks and open the door to credential harvesting and unauthorized access."
"Despite its strengths, the Pluggable Authentication Module's (PAM) modularity introduces risks, as malicious modifications to PAM modules can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext, Group-IB noted in September 2024."
PamDOORa is a Linux backdoor advertised for sale on a Russian cybercrime forum. It functions as a Pluggable Authentication Module post-exploitation toolkit that provides persistent OpenSSH authentication. Access is enabled through a magic password combined with a specific TCP port. The backdoor can harvest credentials from legitimate users who authenticate through the compromised system. It targets the PAM authentication framework, which allows administrators to add or update authentication mechanisms via pluggable modules without rewriting applications. Because PAM modules typically run with root privileges, malicious or misconfigured modules can introduce backdoors and enable credential theft. PAM does not store passwords, but transmits authentication values in plaintext, increasing exposure risk. The pam_exec module can be abused by injecting malicious scripts into PAM configuration files to gain unauthorized access or persistent control.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]