oss-sec mailing list archives
Re: finding similar compromises (was Re: From xz to ibus: ...
From: Hank Leininger <hlein () korelogic com>
Date: Tue, 2 Apr 2024 12:27:18 -0600
On 2024-04-02, Tavis Ormandy wrote:
On 2024-04-02, Tavis Ormandy wrote:On 2024-04-01, HW42 wrote:Hi Jan, great that you are looking for further problems. (Just to be clear, I'm not associated with ibus in any way.)Yes, agreed. In the interests of discussing things in the open after just complaining about embargoes... :)
Along similar lines, I've been analyzing other packages to see if I can find similar fragments to those used in the stage0, stage1, stage2 loaders from the xz-utils backdoor: https://github.com/hlein/distro-backdoor-scanner tl;dr: did some scans, more to come, nothing found yet; help add patterns. I'll quote my own README here: ### The toolkit used for the xz-utils backdoor is far too sophisticated to be a first draft. Were there earlier iterations of this, that shared some things in common but were slightly simpler, injected into other projects? Can we detect the style/"fist" of the author elsewhere? Moreso the delivery mechanics than the contents of the extracted+injected malicious .so. These scripts unpack the source packages for all of a distro repo's current packages, then scan them for content similar to the malware that was added to xz-utils. Running over the unpacked source trees of ~19k Gentoo packages and ~40k Debian packages gives a manageable amount of results (~hundreds of hits), digestable by a human. So far the only confirmed malicious results are... from the backdoored xz-utils versions. There need to be more search patterns, among other things; see TODO. ### Working on some submitted patches and adding Rocky Linux support ~today. Thanks, -- Hank Leininger <hlein () korelogic com> 8428 ED14 5268 C727 0C48 F454 846F 0637 5FEB 1612
Attachment:
signature.asc
Description: Digital signature
Current thread:
- From xz to ibus: more questionable tarballs Jan Engelhardt (Apr 01)
- Re: From xz to ibus: more questionable tarballs HW42 (Apr 01)
- finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
- Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
- Re: finding similar compromises (was Re: From xz to ibus: ... Hank Leininger (Apr 02)
- Re: Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Ángel (Apr 08)
- finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
- Re: From xz to ibus: more questionable tarballs HW42 (Apr 01)
- Re: From xz to ibus: more questionable tarballs Takao Fujiwara (Apr 01)