Re: Admin rights via backdoors

["Adam Pridgen" <Adam.Pridgen () gmail com>]

Out of boredom and curiosity, I spent the better part of my weekend
writing this little demo program.  It simulates a back door that could
be hidden in an application.  It uses a simple port-knock to figure
out who to connect back too.  The source has directions about how to
run the demo, which is attached.

I think with a little bit more attention the code could actually be
trimmed down and hidden well in an application.  I am not a hard core
programmer on the win32 platform so the code is somewhat bulky and
rough around the edges, but I think it would help eliminate or at
least reduce the idea that user rights of a developer are not required
on the production machine.

Cheers,

Adam

On 3/9/07, Scott Ramsdell <Scott.Ramsdell () cellnet com> wrote:
> Hi WALI,
>
> You can setup a netcat listener on any port and instruct it to execute
> any executable when the port is knocked.  It will of course inherit the
> permissions of the user/service account that launches it.
>
> So, in your specific scenario, the backdoor would contain netcat, open a
> listening port and do whatever when knocked.  It would execute with the
> rights the financial app has (which likely can read and write sensitive
> info).
>
> http://m.nu/program/util/netcat/netcat.html
>
> Check it out, it's pretty cool.
>
> Typically dev and prod environments are separate.  Once the code is
> reviewed and approved, it moves out of dev and into the hands of the
> admins who install it, then care and feed for the app.  Devs generally
> have no rights on prod boxes.
>
> Kind Regards,
> Scott Ramsdell
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of WALI
> Sent: Friday, March 09, 2007 8:02 AM
> To: security-basics () securityfocus com
> Subject: Admin rights via backdoors
>
> Hi Guys
>
> I do understand the risks of seeing open ports on servers using
> nmap/nessus
> but need to demonstrate a concept to my managers, the need for
> segregating
> software developers and production environments, especially pertaining
> to
> an financial application being built in-house.
>
> I maintain that getting admin rights into an application while bypassing
>
> logical access controls flowing down from Active directory or OS level
> is
> trivial for a programmer if he hard codes some backdoor entry ports
> replete
> with usernames and passwords. They disagree that if they have no AD
> rights
> granted on the resource (different AD domains / filers etc), there is no
>
> reason to physically isolate developers from production.
>
> Is my contention conceptually correct? How can I demonstrate this with a
>
> dummy application?

Attachment: SpecialRequest.cpp
Description: