oss-sec mailing list archives

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Solar Designer <solar () openwall com>
Date: Sun, 31 Mar 2024 22:33:47 +0200

On Sat, Mar 30, 2024 at 11:00:09PM +0100, Solar Designer wrote:

On Fri, Mar 29, 2024 at 08:51:26AM -0700, Andres Freund wrote:

This injects an obfuscated script to be executed at the end of configure. This
script is fairly obfuscated and data from "test" .xz files in the repository.


Gynvael Coldwind @gynvael performed what's probably the most elaborate
analysis of the bash obfuscation so far.  I'm posting it in here on his
behalf.  The original blog post is at:

https://gynvael.coldwind.pl/?lang=en&id=782


Much of the scripted part of the backdoor is now also illustrated by 
Thomas Roccia @fr0gger_ in:

https://twitter.com/fr0gger_/status/1774342248437813525

I'm attaching a scaled down and color-reduced (but legible) version of
the image ("convert -strip -quality 100 -resize 50% -colors 12").

Alexander

Current thread:

Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
  - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 31)
  - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael.Karcher (Mar 31)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)