oss-sec mailing list archives

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Matthias Weckbecker <matthias () weckbecker name>
Date: Sat, 30 Mar 2024 10:23:49 +0100

On Fri, Mar 29, 2024 at 12:19:26PM -0700, Andres Freund wrote:

Hi,


Hi Andres,

On 2024-03-29 19:44:05 +0100, Matthias Weckbecker wrote:

I've attached a yara rule to detect the *.o droplet you attached in the
email (liblzma_la-crc64-fast.o.gz).


Unfortunately xz 5.61 added further obfuscations, making it harder to
detect. Should have made it clearer that the attached .o was from 5.60. Among
others 5.61 removed the two symbols you're checking against here.  That's why
Vegard's script looks for a specific instructions sequence, but obviously is
also more obscure :/


Yes, all correct. For this you'll have to match characteristic sequences
of instructions. I've attached a yara rule for this as well.

Regards,

Andres


Thanks,
Matthias

Attachment: CVE-2024-3094-p.yara
Description:

Current thread:

Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)

(Thread continues...)