How to Hide a Root User (activity) in Linux

The other day I was in a discussion regarding user accounts and zero width spaces.  We were talking about how it is possible to hide data inside of the zero width space because the space between characters is in itself a character as well.  That lead to the question could we hide characters in a user name?  Could a person create an account that to the naked eye looks like root but when the hidden characters are revealed the truth is that you have multiple "root" accounts.

What we learned was scary and should make every sys admin think about what they are reading in their logs.  If I am root and I see a task completed by root in a log, but I have no recollection of doing that task I should do some digging and make sure that I have no secret root accounts on my machine.

Normal Method of adding user.

In the above image we can see I added a user "testUser." This is the normal process with no bells or whistles.

I deleted testUser and added again but this time with root privileges observe the differences between a root user and a regular user (lines 3 and 6)

For comparison (above) I also show the existing root user.  Oopsie! I have two users with the same UID!

The next part is where the magic happens.  Using unicode I can create a user that looks exactly like another user but is different because I am using unicode for the special character of "Zero Width."  The extra unicode is enough information for the OS to differentiate that there are two users but to you and I we can't actually visibly see a difference.

Take a look at this picture below.

lines 1-2: I show current "testUser" on system

line 3: I add user like I did previously the only difference is (saddly you can't see it) but I add a zero width unicode character at the end (ctrl + shift + u -->200B)

lines 4-6: I show /etc/passwd file with the two users.  They look the same!! (FYI I technically have three accounts on my system with UID of 0 <--Bad)

In the next picture I switch to my zero width user.

So obviously if you are an admin and you have some automation set up to check /etc/passwd regularly then you will likely catch this.  Hopefully you have some OS hardening set up to prevent this from happening in the first place.  What the danger here is that I made a user that looks exactly like another user.  You can not visibly tell the difference between the two.  I could do what I want on this OS masquerading as a local user and the logs would all look legit.

Thanks everyone!

Andrew Campbell




Popular Posts