Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f0a95b6f-8738-4ca6-9462-35bdca04293a@nil.im>
Date: Sat, 30 Mar 2024 13:14:01 +0100
From: Jonathan Schleifer <js@....im>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

(Sorry, I'm not subscribed to the list, and it seems the web interface 
doesn't expose the message ID so that I could add the appropriate 
headers, so this will probably not show up us as proper reply.)

After reading this, I took a look at xz-5.6.1.tar.bz2 and extracted the 
payload manually myself. The `sed \”r\n\” $gl_am_configmake` never 
worked for me, so instead I replaced that with cat and could still get 
the script extracted.

However, the script I extracted has a diff: http://sprunge.us/okPUXN

This seems to look for yet another test and if it exists extracts a 
shell script from yet another test - before even checking any of the 
abort conditions. I think the assumption "If you don't build an RPM / 
deb, you're fine" probably does not hold as a result.

If I run those greps manually, I have no matches. So this could mean 
this is just future proofing for future tests to be checked in. However, 
I suspect that this is because I extracted the script without executing 
configure, so I'm guessing there is a transformation missing that would 
transform these greps to something else that would then match.

Has anyone else looked into this in more detail? My impression is that 
everybody went by the initial analysis, assumed they are safe and didn't 
do any further reversing.

Also I've looked at the .o that gets linked in. It's 88 KB in size and 
uses misleading symbols: They are symbols that actually exist in 
liblzma, but prefixed with .L, meaning they are local - and do something 
else entirely than the name implies. I did some static analysis, but 
then hit an indirect branch where I don't know where it goes. In any 
case, 88 KB is a lot for just a backdoor in SSH, so I'm wondering if it 
does more.

I think there really needs to be more reverse engineering. Is there any 
such effort? I think it would make sense to join forces and start a group.

-- 
Jonathan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.