8 Mar
2024
8 Mar
'24
3:33 a.m.
Does your sslkeylog.so work on that same host with the openssl test? I
noticed you're using ansible, so I'm curious if you're compiling on
some other host that could have different versions of the openssl-dev
stuff. Other things could be file or path permissions, or maybe a
security tool blocking it (would auditd do that?).
At this point I'd reach out to their support.
On Tue, Mar 5, 2024 at 10:24 PM Joel Serrano <joel(a)textplus.com> wrote:
Hi Calvin,
Thanks for the tip on capturing on LO interface, I'm sure you just saved me some
headaches ;)
Interestingly when I check the environ I do see the env vars being set, but in the maps I
don't see the keylogger:
root@csbc03:~# cat /proc/2216899/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=fb5d2818a5434319ab2381262737dcffJOURNAL_STREAM=8:1642042024RUNTIME_DIRECTORY=/run/kamailioCFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32SSLKEYLOG_UDP=10.2.1.19:1234LD_PRELOAD=/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.1.1RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yes
root@csbc03:~#
root@csbc03:~# fgrep ssl /proc/2216899/maps
7f1ceef99000-7f1ceefb6000 r--p 00000000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1ceefb6000-7f1cef004000 r-xp 0001d000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef004000-7f1cef01e000 r--p 0006b000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef01e000-7f1cef01f000 ---p 00085000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef01f000-7f1cef028000 r--p 00085000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef028000-7f1cef02c000 rw-p 0008e000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
root@csbc03:~#
This is on a debian 10 box. I have another box for testing on debian12, I set the exact
same config as you and I still don't see the keylogger being loaded:
root@csbc01:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
root@csbc01:~#
root@csbc01:~# cat /etc/default/kamailio.d/voipmonitor
# ANSIBLE_MANAGED_FILE - Do NOT edit this file as it is auto-generated by Ansible.
SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.3"
root@csbc01:~#
root@csbc01:~# file /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so: ELF 64-bit LSB shared
object, x86-64, version 1 (SYSV), dynamically linked,
BuildID[sha1]=f1a884cad7648cc38a579b1d00a9ad523297b78c, with debug_info, not stripped
root@csbc01:~#
root@csbc01:~# file /usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libssl.so.3: ELF 64-bit LSB shared object, x86-64, version 1
(SYSV), dynamically linked, BuildID[sha1]=dd6b0615fc5d03f9c698d6d0c9d2da1b1e8f2d24,
stripped
root@csbc01:~#
root@csbc01:~# cat /proc/181454/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=059a5e15f1bb4e2bae17c0b5ec9c731eJOURNAL_STREAM=8:2661302RUNTIME_DIRECTORY=/run/kamailioSYSTEMD_EXEC_PID=181394CFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yesSSLKEYLOG_UDP=127.0.0.1:1234LD_PRELOAD=/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.3
root@csbc01:~#
root@csbc01:~# fgrep ssl /proc/181454/maps
7f0c537b6000-7f0c537d5000 r--p 00000000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c537d5000-7f0c53833000 r-xp 0001f000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c53833000-7f0c53852000 r--p 0007d000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c53852000-7f0c5385c000 r--p 0009c000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c5385c000-7f0c53860000 rw-p 000a6000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
root@csbc01:~#
Any other ideas of what I can be missing?
On Tue, Mar 5, 2024 at 2:30 PM Calvin E. <calvine(a)gmail.com> wrote:
>
> Make sure you are preloading the correct OpenSSL library. On my Debian
> 12 box it is libssl.so.3 not libssl.so.1.1. You can confirm which is
> loaded by checking the "maps" of a running proc:
>
> $ sudo fgrep ssl /proc/2951676/maps
> 7f26647a4000-7f26647c3000 r--p 00000000 08:01 131274
> /usr/lib/x86_64-linux-gnu/libssl.so.3
> 7f26647c3000-7f2664821000 r-xp 0001f000 08:01 131274
> /usr/lib/x86_64-linux-gnu/libssl.so.3
> 7f2664821000-7f2664840000 r--p 0007d000 08:01 131274
> /usr/lib/x86_64-linux-gnu/libssl.so.3
> 7f2664840000-7f266484a000 r--p 0009c000 08:01 131274
> /usr/lib/x86_64-linux-gnu/libssl.so.3
> 7f266484a000-7f266484e000 rw-p 000a6000 08:01 131274
> /usr/lib/x86_64-linux-gnu/libssl.so.3
> 7f266484e000-7f266484f000 r--p 00000000 08:01 154916
> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
> 7f266484f000-7f2664850000 r-xp 00001000 08:01 154916
> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
> 7f2664850000-7f2664851000 r--p 00002000 08:01 154916
> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
> 7f2664851000-7f2664852000 r--p 00002000 08:01 154916
> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
> 7f2664852000-7f2664853000 rw-p 00003000 08:01 154916
> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
>
> My systemd /lib/systemd/system/kamailio.service has a line
> "EnvironmentFile=-/etc/default/kamailio.d/*" so I dropped a file
> there:
>
> $ cat /etc/default/kamailio.d/voipmonitor
> SSLKEYLOG_UDP='127.0.0.1:1234'
> LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
> /usr/lib/x86_64-linux-gnu/libssl.so.3"
>
> In my environment we're using "packetbuffer_sender = yes" to copy all
> packets to a central processor. I'm sending the keys to localhost so
> they can get picked up by the sniffer instead of sending them
> separately to the central processor. For this to work, the sniffer
> also must capture the "lo" interface.