oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Jakub Wilk <jwilk () jwilk net>
Date: Wed, 17 Apr 2024 16:38:54 +0200
* Andres Freund <andres () anarazel de>, 2024-03-29 08:51:
d) LANG needs to be set
If timing "sshd -h" is a reliable method of checking if the backdoor is active, then this is not correct. It seems all you need is non-empty environment:
# time env -i /usr/sbin/sshd -h 2>/dev/null real 0m0.009s user 0m0.004s sys 0m0.005s # time env -i X= /usr/sbin/sshd -h 2>/dev/null real 0m0.345s user 0m0.337s sys 0m0.009s Further evidence that LANG doesn't matter: * LANG is not on the list of extracted strings[0].* Some folks[1][2] misspelled LANG as LC_LANG, and apparently it still worked.
[0] https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01 [1] https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 [2] https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor
I am *not* a security researcher, nor a reverse engineer.
Congrats, you've just made a lot of people feel inadequate. :P -- Jakub Wilk
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 01)
- <Possible follow-ups>
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 12)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Apr 16)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matt Johnston (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 19)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 17)