Research Update Enhanced src/linux-hardening/linux-post-expl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL:
• Blog Title: Research Update Enhanced src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md
• Suggested Section: Research

🎯 Content Summary

Research Update for src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md

This PR contains automated research updates including:

• Latest security vulnerabilities and attack vectors
• Updated techniques and tools
• Enhanced explanations and examples
• Additional references and resources

Generated by: HackTricks Research Agent
Timestamp: 2026-04-13 03:36:41 UTC

Tool usage

• apply_patch: 1
• brave_search: 1
• exec: 28
• search_google_web: 12
• t...

🔧 Technical Details

Research update for HackTricks content

🤖 Agent Actions

I’m reading the current PAM page and nearby Linux post-exploitation docs first, then I’ll branch into recent research sources to identify what’s genuinely missing versus already covered elsewhere.
The page is narrower than expected: it covers classic pam_unix.so trojaning and a small pam_exec persistence note, but it doesn’t cover newer Linux-PAM supply-chain angles, module search-path abuse, or stack-control semantics that matter for backdooring cleanly.
I’ve mapped related HackTricks content. The overlapping material is mostly in linux-post-exploitation/README.md, so I’m keeping this page focused on PAM-specific operator techniques rather than re-explaining generic post-exploitation persistence.
I have enough source material to tighten this page around techniques that are both current and specific to PAM: stack semantics abuse, pam_exec token handling, distro-specific module paths, and the recent “malicious PAM module posing as legit auth” pattern seen in 2025 threat reporting.
I’m editing the PAM page now. The changes will stay compact: one section on stack/path abuse and one section on authselect/recent tradecraft, without bloating the page into a generic Linux persistence article.
The file is updated. I’m doing a final pass now for HackTricks style, technical correctness, and whether the new references are minimal and placed only at the end.
Updated pam-pluggable-authentication-modules.md.

I added PAM-specific material that was missing but still fits the page scope: offensive stack semantics (include, substack, bracketed controls, relative vs absolute module-path), a more accurate pam_exec abuse section with expose_authtok/PAM env details, authselect-aware persistence on RHEL-family systems, and a short note on 2025 PAM backdoor tradecraft (Plague) focused on operator-relevant behavior rather than CVE-style narrative. I also replaced the stale references with two current, more useful ones at the end of the file.

Verification was manual via file review and git diff. markdownlint was not installed in the environment, so I could not run an automated markdown lint pass.

Research URLs used:

• https://man7.org/linux/man-pages/man5/pam.d.5.html
• https://man7.org/linux/man-pages/man8/pam_exec.8.html
• https://raw.githubusercontent.com/linux-pam/linux-pam/master/modules/pam_exec/pam_exec.c
• https://raw.githubusercontent.com/linux-pam/linux-pam/master/modules/pam_unix/pam_unix_auth.c
• https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/
• https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
• https://www.nextron-systems.com/wp-json/wp/v2/posts/28773
• https://asec.ahnlab.com/en/89557/
• https://wiki.archlinux.org/title/PAM
• https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel
• https://pamtester.sourceforge.net/
• https://github.com/Aegrah/PANIX/raw/main/modules/setup_pam.sh

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post:

Content Categories: Based on the analysis, this content was categorized under "Research".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0