Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Apr 2024 00:59:00 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Hi,

This is an update on some developments in the recent 2 weeks.

OpenSSH
=======

For upstream OpenSSH, Damien Miller and others have implemented systemd
notifications without reliance on libsystemd:

Bug 2641 - Add systemd notify code to to track running server
https://bugzilla.mindrot.org/show_bug.cgi?id=2641

"Committed as 08f579231cd38 and will be in OpenSSH-9.8, due around
June/July."

In response to Andres Freund's proposal, Damien also implemented a patch
to reduce OpenSSH's attack surface:

Bug 3675 - CASignatureAlgorithms should be verified before verifying signatures
https://bugzilla.mindrot.org/show_bug.cgi?id=3675

not yet committed?

systemd
=======

Upstream systemd's libsystemd has been modified to dlopen() many of its
dependency libraries on demand:

Reduce dependencies of libsystemd #32028
https://github.com/systemd/systemd/issues/32028

The issue above is fixed by pull requests "gcrypt: dlopenify for
libsystemd #32019", "Dynamically load compression libraries #31550",
"man: document that using sd_journal APIs might cause dlopen to happen
and add self-contained notify protocol example #32030", and other
related fix-ups.

xz backdoor analysis
====================

More findings were made about the backdoor's functionality, notably as
published on April 6 by blasty, who discovered that besides triggering
system() the backdoor also allows interactive sessions:

https://twitter.com/bl4sty/status/1776691497506623562

> the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able
> to trigger some harder to reach functionality of the backdoor. there's
> still more to explore.. 1/n
> Image
> it requires sending a properly crafted command to the RSA_public_decrypt
> hook, which will then install another for the `mm_answer_keyallowed`
> sshd function. subsequently you offer N more fake ssh-rsa pubkeys which
> are crafted in a special way to chunk together .. 2/n
> a "magic buffer" which contains more backdoor commands, this buffer also
> has two additional ed448 signatures. which like the ones for the
> RSA_public_decrypt portion of the backdoor are salted with the SHA256
> digest of the hostkey
> the final signature also takes into account the session_id (0x20 bytes)
> that is derived during the initial key exchange (KEX) for the SSH
> session. my current PoC implementation uses a heavily monkey patched
> paramiko (ssh client) library to achieve this
> currently I'm just triggering command 0x03 in this part of the code,
> which allows for a basic RCE through system() again. (also lets you set
> uid/gid). but there's more code that needs to be understood. it looks
> like a full auth bypass (interactive session) is possible!
> (that conclusion is based on the fact that one of the
> mm_answer_keyallowed backdoor commands also hooks mm_answer_keyverify,
> eventually)
> whoever designed this stuff had to take a deep dive into openSSH(d)
> internals (and so did I for the past couple of days, oof) .. hats off,
> once again :)
> auth bypass confirmed!
> 
> > INFO:paramiko.transport:Authentication (password) successful!
> 
> mm_keyallowed_backdoor cmd 1 allows to override the response for
> mm_answer_authpassword with a custom one. if you set it to { u32(9),
> u8(13), u32(1), u32(0) } you can login with any pass

blasty also implemented a "simple SSH Agent that implements some of the
XZ sshd backdoor functionality":

https://github.com/blasty/JiaTansSSHAgent

On Sun, Mar 31, 2024 at 10:25:02PM +0200, Solar Designer wrote:
> There's further analysis of the binary payload here:
> 
> https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
> 
> I've attached the gist .md file above (as of "Revisions 52") to this
> message, but it's ongoing analysis as seen in the comments.

Updates of smx-smx's gist above have stopped at revision 60, which I'm
attaching here for archival.  Not a lot was added since revision 52.

smx-smx also maintains xzre "that is linked against the malicious object
file in order to instrument and call into the malware code, particularly
the x64 disassembler":

https://github.com/smx-smx/xzre

and yes, there's a specialized disassembler inside the backdoor code.

The friends at Binarly have produced a later but very detailed analysis,
which I'm also attaching the main .md file of:

https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor

Other related repos with tools include:

xzbot "notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)"
https://github.com/amlweems/xzbot

xz-min "Minimal setup to trigger the xz backdoor"
https://github.com/felipec/xz-min

Timeline
========

In an otherwise inappropriate rejected posting, Steffen Nurpmeso wrote:

> Russ Cox had a writeup on this https://research.swtch.com/xz-timeline

which is a good presentation of the attack timeline, with references to
sources and analyses by others.

(The beginning of this oss-security thread until April 1st inclusive
went through in its entirety - nothing rejected - but I did reject a few
postings on April 2nd and on.)

OpenJS Foundation "Failed Credible Takeover Attempt"
====================================================

On April 15, the OpenJS and OpenSSF foundations released the following:

https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

I'll quote an excerpt:

> The OpenJS Foundation Cross Project Council received a suspicious series
> of emails with similar messages, bearing different names and overlapping
> GitHub-associated emails. These emails implored OpenJS to take action to
> update one of its popular JavaScript projects to "address any critical
> vulnerabilities," yet cited no specifics. The email author(s) wanted
> OpenJS to designate them as a new maintainer of the project despite
> having little prior involvement. This approach bears strong resemblance
> to the manner in which "Jia Tan" positioned themselves in the XZ/liblzma
> backdoor.
> 
> None of these individuals have been given privileged access to the
> OpenJS-hosted project. The project has security policies in place,
> including those outlined by the Foundation's security working group.
> 
> The OpenJS team also recognized a similar suspicious pattern in two
> other popular JavaScript projects not hosted by its Foundation, and
> immediately flagged the potential security concerns to respective OpenJS
> leaders, and the Cybersecurity and Infrastructure Security Agency (CISA)
> within the United States Department of Homeland Security (DHS).

Alexander

View attachment "smx-smx-xz-backdoor_analysis.md" of type "text/plain" (14757 bytes)

View attachment "binarly-xz-backdoor-readme.md" of type "text/plain" (83785 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.