oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Solar Designer <solar () openwall com>
Date: Sun, 31 Mar 2024 22:25:02 +0200
On Mon, Apr 01, 2024 at 03:13:39AM +0900, Dominique Martinet wrote:
Michael.Karcher wrote on Sun, Mar 31, 2024 at 07:13:35PM +0200:You can find this script (and possibly other stuff I found interesting later) at https://github.com/karcherm/xz-malware .This list requires that the content is made available in messages themselves and not just links, so I've copied the README below
Thank you both.
b00: 'yolAbejyiejuvnup=Evjtgvsh5okmkAvj\x00'
For those wondering about this cryptic string, it was previously determined to be the backdoor's "kill switch". If put in the environment before sshd startup, the backdoor becomes inactive: https://piaille.fr/@zeno/112185928685603910 There's further analysis of the binary payload here: https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 I've attached the gist .md file above (as of "Revisions 52") to this message, but it's ongoing analysis as seen in the comments. Alexander
Attachment:
backdoor_analysis.md
Description:
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael.Karcher (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet (Mar 31)