Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ed2715be-e7a0-4a7f-a3fd-7041f6c6fa49@fu-berlin.de>
Date: Sun, 31 Mar 2024 19:13:35 +0200
From: "Michael.Karcher" <Michael.Karcher@...berlin.de>
To: oss-security@...ts.openwall.com
Cc: Andres Freund <andres@...razel.de>
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

Am 29.03.2024 um 16:51 schrieb Andres Freund:
> Florian Weimer first extracted the injected code in isolation, also attached,
> liblzma_la-crc64-fast.o, I had only looked at the whole binary. Thanks!

Thanks for your excellent write-up, and thanks to Florian Weimer for posting
the injected code.

> I am *not* a security researcher, nor a reverse engineer.  There's lots of
> stuff I have not analyzed and most of what I observed is purely from
> observation rather than exhaustively analyzing the backdoor code.

I am a reverse engineer, and tried some static analysis on that code. One
key feature is that the code does not contain any ASCII strings, neither in
clear text nor in obfuscated form. Instead, it recognizes all relevant
strings using one single deterministic finite automaton, a technique commonly
used to search for terms given by regular expressions.

I wrote a script that decodes the tables for the table-driven DFA and outputs
the strings recognized by it accompanied with the "ID" assigned to the terminal
accepting state that represents that string.

You can find this script (and possibly other stuff I found interesting later)
at https://github.com/karcherm/xz-malware .

Kind Regards,
   Michael Karcher

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.