oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Andres Freund <andres () anarazel de>
Date: Fri, 29 Mar 2024 12:19:26 -0700
Hi, On 2024-03-29 19:44:05 +0100, Matthias Weckbecker wrote:
I've attached a yara rule to detect the *.o droplet you attached in the email (liblzma_la-crc64-fast.o.gz).
Unfortunately xz 5.61 added further obfuscations, making it harder to detect. Should have made it clearer that the attached .o was from 5.60. Among others 5.61 removed the two symbols you're checking against here. That's why Vegard's script looks for a specific instructions sequence, but obviously is also more obscure :/ Regards, Andres
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise terraminator (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)