Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240331203347.GA21266@openwall.com>
Date: Sun, 31 Mar 2024 22:33:47 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

On Sat, Mar 30, 2024 at 11:00:09PM +0100, Solar Designer wrote:
> On Fri, Mar 29, 2024 at 08:51:26AM -0700, Andres Freund wrote:
> > This injects an obfuscated script to be executed at the end of configure. This
> > script is fairly obfuscated and data from "test" .xz files in the repository.
> 
> Gynvael Coldwind @gynvael performed what's probably the most elaborate
> analysis of the bash obfuscation so far.  I'm posting it in here on his
> behalf.  The original blog post is at:
> 
> https://gynvael.coldwind.pl/?lang=en&id=782

Much of the scripted part of the backdoor is now also illustrated by 
Thomas Roccia @fr0gger_ in:

https://twitter.com/fr0gger_/status/1774342248437813525

I'm attaching a scaled down and color-reduced (but legible) version of
the image ("convert -strip -quality 100 -resize 50% -colors 12").

Alexander

Download attachment "fr0gger-xz-backdoor.png" of type "image/png" (173677 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.