backdoor in upstream xz/liblzma leading to ssh server compromise - Andres Freund & Florian Weimer [2024-03-29] https://www.openwall.com/lists/oss-security/2024/03/29/4 (第一个发现者,微软工程师) (含有丰富的初步技术细节)
XZ Utils backdoor - Lasse Collin https://tukaani.org/xz-backdoor/ (xz原作者Larhzu的一点说明)
Everything I Know About the XZ Backdoor - Evan Boehs [2024-03-29] https://boehs.org/node/everything-i-know-about-the-xz-backdoor (replaces safe_fprintf with an unsafe variant fprintf) (梳理Jia Tan的来龙去脉) (185.128.24.163 Singapore/Jia Cheong Tan)
FAQ on the xz-utils backdoor https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 (IFUNC, a mechanism in glibc that allows for indirect function calls) (diff build-to-host.m4)
第三篇解释build-to-host.m4及bash脚本 - Jonathan Schleifer [2024-03-30] https://github.com/Midar/xz-backdoor-documentation/wiki
一张关于liblzma后门的总览图 - Thomas Roccia (@fr0gger_) https://twitter.com/fr0gger_/status/1774342248437813525
XZ Backdoor: Times, damned times, and scams - Rhea Karty & Simon Henniger [2024-03-30] https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and (从时区角度看liblzma后门) (作者认为Jia Tan试图让人判定他是中国人,但作者认为Jia更可能是在UTC+02/03工作) (评论区有不同意见)
Backdoor in XZ Utils allows RCE: everything you need to know - Merav Bar, Amitai Cohen, Danielle Aminov [2024-03-30] https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils (混水摸鱼之作,标题党)
***
CVE-2024-3094 XZ Backdoor: All you need to know - Shachar Menashe, Jonathan Sar Shalom, Brian Moussalli [2024-03-31] https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/ (Timeline of the attack)
The payload hooks the RSA_public_decrypt function, a function originally used for validating RSA signatures. The malicious hook code examines the RSA public modulus ("N" value) passed inside the RSA struct (4th argument of RSA_public_decrypt). Note that this modulus is completely controlled by the connecting SSH client (in our case, the attackers). The malicious hook code decrypts the "N" value with a hardcoded decryption key (using the ChaCha20 symmetric stream cipher). The decrypted data is checked for validity by using the Ed448 elliptic curve signing algorithm. Note that since this is an asymmetric signing algorithm, the backdoor contains only the public (verification) key, ensuring that only the attackers can generate valid payloads for the backdoor. Furthermore, the signature is bound to the host's public key, meaning that a valid signature for one host cannot be reused on a different host. If the data is valid, the payload is executed as a shell command by passing it to system(). If the data is invalid in any way (malformed payload, invalid signature), the original implementation of RSA_public_decrypt is resumed in a transparent manner. This means the detection of vulnerable machines over the network may be impossible for anyone besides the attackers.
The sophisticated nature of this attack and the use of highly future proof crypto algorithms (Ed448 vs the more standard Ed25519) led many to believe that the attack may be a nation-state level cyberattack.
***
It's RCE, not auth bypass, and gated/unreplayable - Filippo Valsorda [2024-03-31] https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). The payload is extracted from the N value (the public key) passed to RSA_public_decrypt, checked against a simple fingerprint, and decrypted with a fixed ChaCha20 key before the Ed448 signature verification. RSA_public_decrypt is a (weirdly named) signature verification function. Why "decrypt"? RSA sig verification is the same op of RSA encryption. The RSA_public_decrypt public key can be attacker-controlled pre-auth by using OpenSSH certificates. OpenSSH certs are weird in that they include the signer's public key. OpenSSH checks the signature on parsing. Here's a script by Keegan Ryan for sending a custom public key in a certificate, which on a backdoored system will reach the hooked function.
Apparently the backdoor reverts back to regular operation if the payload is malformed or the signature from the attacker's key doesn't verify. Unfortunately, this means that unless a bug is found, we can't write a reliable/reusable over-the-network scanner. To clarify, by "gated" I mean it takes the attacker's private key to use the backdoor (it's NOBUS); by "unreplayable" I mean that even if we observe an attack against one host, we can't reuse it against another host (the attacker's signature is bound to the host public key, but not to the command).
***
Information about the liblzma (xz-utils) backdoor - karcherm [2024-03-31] https://github.com/karcherm/xz-malware (Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1) (从.o中还原了字符串)
I am a reverse engineer, and tried some static analysis on that code. One key feature is that the code does not contain any ASCII strings, neither in clear text nor in obfuscated form. Instead, it recognizes all relevant strings using one single deterministic finite automaton, a technique commonly used to search for terms given by regular expressions.
I wrote a script that decodes the tables for the table-driven DFA and outputs the strings recognized by it accompanied with the "ID" assigned to the terminal accepting state that represents that string.
***
XZ Backdoor Analysis and symbol mapping - smx-smx https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 (巨NB的逆向工程,解释5.6.0的.o中那些符号实际是啥意思)