Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 31 Mar 2024 19:13:35 +0200
From: "Michael.Karcher" <>
Cc: Andres Freund <>
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

Am 29.03.2024 um 16:51 schrieb Andres Freund:
> Florian Weimer first extracted the injected code in isolation, also attached,
> liblzma_la-crc64-fast.o, I had only looked at the whole binary. Thanks!

Thanks for your excellent write-up, and thanks to Florian Weimer for posting
the injected code.

> I am *not* a security researcher, nor a reverse engineer.  There's lots of
> stuff I have not analyzed and most of what I observed is purely from
> observation rather than exhaustively analyzing the backdoor code.

I am a reverse engineer, and tried some static analysis on that code. One
key feature is that the code does not contain any ASCII strings, neither in
clear text nor in obfuscated form. Instead, it recognizes all relevant
strings using one single deterministic finite automaton, a technique commonly
used to search for terms given by regular expressions.

I wrote a script that decodes the tables for the table-driven DFA and outputs
the strings recognized by it accompanied with the "ID" assigned to the terminal
accepting state that represents that string.

You can find this script (and possibly other stuff I found interesting later)
at .

Kind Regards,
   Michael Karcher

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.