Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Solar Designer <solar () openwall com>]

On Mon, Apr 01, 2024 at 03:13:39AM +0900, Dominique Martinet wrote:
> Michael.Karcher wrote on Sun, Mar 31, 2024 at 07:13:35PM +0200:
> > You can find this script (and possibly other stuff I found interesting later)
> > at https://github.com/karcherm/xz-malware .
>
> This list requires that the content is made available in messages
> themselves and not just links, so I've copied the README below

Thank you both.

>  b00: 'yolAbejyiejuvnup=Evjtgvsh5okmkAvj\x00'

For those wondering about this cryptic string, it was previously
determined to be the backdoor's "kill switch".  If put in the
environment before sshd startup, the backdoor becomes inactive:

https://piaille.fr/@zeno/112185928685603910

There's further analysis of the binary payload here:

https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504

I've attached the gist .md file above (as of "Revisions 52") to this
message, but it's ongoing analysis as seen in the comments.

Alexander

Attachment: backdoor_analysis.md
Description: