A newly identified Linux backdoor technique, known as “Pam,” has emerged as a notable threat, exploiting the flexibility inherent in Pluggable Authentication Modules (PAM) to stealthily capture SSH credentials and maintain persistence on compromised systems. This development raises significant concerns among security experts and system administrators alike.
Since its inception in 1991 by Linus Torvalds, Linux has been widely recognized for its design principles centered around simplicity, modularity, and flexibility. These characteristics allow administrators to customize various components of the operating system, impacting everything from networking and authentication to system management and security controls. While this modular architecture has contributed to Linux’s reputation as one of the most secure and widely adopted operating systems globally, it simultaneously introduces unique vulnerabilities when utilized improperly.
Security researchers from Group-IB’s Digital Forensics and Incident Response (DFIR) team have uncovered a novel technique that leverages PAM’s modular framework, especially the pam_exec module, to execute malicious code during authentication processes. PAM acts as a critical intermediary authentication layer for several applications, including sshd, login, passwd, and su, effectively separating authentication logic from application-level code. This separation enables centralized and flexible control over access policies across various applications.
The PAM framework includes four key module types: authentication, account management, password handling, and session control. Each of these modules operates based on control flags, including required, requisite, sufficient, and optional, which dictate how authentication results are handled. While the benefits of this modularity are pronounced, PAM’s architecture poses risks, particularly because it processes authentication data—sometimes in plaintext—without safeguarding it.
Applications such as su, passwd, login, gdm, sshd, and ftpd utilize PAM to verify user identities and ascertain if individuals possess the requisite permissions to access system resources. However, if malicious actors gain the capacity to modify PAM configurations, they can insert harmful modules or scripts designed to intercept credentials or create hidden backdoors.
The pam_exec module is typically employed to execute external commands during authentication events, often used by administrators for legitimate purposes like triggering alerts after password changes. However, it is also susceptible to exploitation. By inserting a malicious entry into PAM configuration files—specifically within /etc/pam.d/sshd—threat actors can manipulate the system to execute hidden scripts during SSH authentication attempts.
In a scenario referred to as the “PamDOORa” attack, a malicious script is covertly activated through pam_exec whenever an SSH login attempt occurs. This script surreptitiously collects sensitive data, including usernames, timestamps, and various environment variables such as PAM_USER, PAM_RHOST, and PAM_SERVICE. Subsequently, this information is exfiltrated to a remote command-and-control server using tools like netcat (nc) over predefined ports.
The configuration of PAM is notably marked with the optional control flag, ensuring that the malicious execution does not interfere with the authentication process, thereby avoiding detection. This stealthy approach poses significant challenges for security professionals, as even failed SSH authentication attempts trigger the execution of the harmful script and the subsequent data transmission, often without leaving substantial evidence in system logs. Typically, these logs only record failed login attempts, effectively concealing the underlying data exfiltration activity. Consequently, forensic investigations and detection efforts become increasingly complicated.
For instance, compromised systems may display numerous failed SSH login attempts in their logs. Yet, in reality, each of these attempts simultaneously triggers silent credential harvesting in the background. This disturbing reality underscores the potential for how legitimate Linux features can be weaponized for persistent and covert attacks, complicating the ability of traditional security monitoring solutions to detect these activities effectively.
Organizations operating Linux servers, particularly those exposed to external networks, must adopt proactive measures to counter this emerging threat. This includes routinely auditing PAM configuration files, closely monitoring for unauthorized changes in /etc/pam.d/, limiting execution permissions for scripts, and implementing file integrity monitoring solutions.
Moreover, activating stricter logging protocols, deploying endpoint detection mechanisms, and utilizing security frameworks like SELinux or AppArmor can mitigate risks associated with unauthorized modifications and execution paths. As Linux continues to prevail in enterprise and cloud environments, attacks like PamDOORa serve as critical reminders that even trusted and secure frameworks can become targets for exploitation when misconfigured or compromised.
To guard against the evolving landscape of cybersecurity threats, organizations must remain vigilant and proactive in their security practices, emphasizing the importance of maintaining the integrity of their systems against such emerging vulnerabilities.