【Hacker News搬运】上游xz/liblzma的后门导致SSH服务器受损

hackernews

Title: Backdoor in upstream xz/liblzma leading to SSH server compromise

上游xz/liblzma的后门导致SSH服务器受损

Text:

hn link

Url: https://www.openwall.com/lists/oss-security/2024/03/29/4

The webscraper tool has successfully retrieved the content from the provided URL. The article discusses a security issue involving the xz compression library, specifically in versions 5.6.0 and 5.6.1. The issue allows an attacker to compromise an ssh server by modifying the build process of the server to inject malicious code. The injected code is designed to execute after configure and targets specific conditions, such as running on x86-64 linux systems with certain environment variables set.

The impact on the ssh server is that logins become significantly slower, and in some cases, the server may be compromised. The attack exploits the way liblzma is used in the ssh server build process, specifically with the RSA public key verification, which is redirected to the malicious code.

The article provides details on the obfuscation and injection methods used by the backdoor, including the replacement of ifunc resolvers and the installation of an audit hook in the dynamic linker. The injected code intercepts execution and modifies the symbol table in memory, allowing it to redirect calls to libcrypto functions to its own malicious code.

The article also includes recommendations for system administrators, such as upgrading to the latest versions of the affected software and using the provided script to detect if a system is vulnerable.

Given the complexity of the issue and the potential security implications, it is recommended that system administrators review the article in detail and take appropriate action to secure their systems.

Post by: rkta

Comments:

rwmj: Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.<p>He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

rwmj: 非常烦人-后门的明显作者与我进行了数周的沟通，试图将xz 5.6.x添加到Fedora 40&amp；41，因为它；s〃；伟大的新功能”；。我们甚至与他合作解决了valgrind问题（现在证明这是由他添加的后门引起的）。在无意中打破禁运后，我们昨晚不得不争分夺秒地解决这个问题<p> 他已经参与xz项目两年了，添加了各种二进制测试文件，老实说，在这种复杂程度上，我会怀疑xz的旧版本，直到被证明不是这样。

move-on-by: Fascinating. Just yesterday the author added a SECURITY.md file to the xz-java project.<p>> If you discover a security vulnerability in this project please report it
privately. Do not disclose it as a public issue. This gives us time to
work with you to fix the issue before public exposure, reducing the chance
that the exploit will be used before a patch is released.<p>Reading that in a different light, it says give me time to adjust my exploits and capitalize on any targets. Makes me wonder what other vulns might exist in the author's other projects.

move-on-by: 极有吸引力的就在昨天，作者向“xz-java”项目添加了一个“SECURITY.md”文件<p> &gt；如果您在该项目中发现安全漏洞，请报告私下地不要将其作为公开问题披露。*这给了我们时间与您合作，在公开曝光之前解决问题，减少机会该漏洞将在发布补丁之前使用<p> 从另一个角度来看，它说给我时间调整我的功绩，并利用任何目标。这让我想知道在作者；的其他项目。

Aissen: Looks like one of the backdoor authors even went and disabled the feature the exploit relied on directly on oss-fuzz to prevent accidental discovery: <a href="https://social.treehouse.systems/@Aissen/112180302735030319" rel="nofollow">https://social.treehouse.systems/@Aissen/112180302735030319</a>
<a href="https://github.com/google/oss-fuzz/pull/10667">https://github.com/google/oss-fuzz/pull/10667</a><p>But luckily there was some serendipity: "I accidentally found a security issue while benchmarking postgres changes." <a href="https://mastodon.social/@AndresFreundTec/112180083704606941" rel="nofollow">https://mastodon.social/@AndresFreundTec/112180083704606941</a>

Aissen: 看起来其中一位后门作者甚至在oss-fuzz上禁用了该漏洞直接依赖的功能，以防止意外发现：<a href=“https://；&#x2F；social.treehouse.systems&#x2F！@Aissen&#x2F：112180302735030319”rel=“nofollow”>https://&#x2F；social.treehouse.systems&F@Aissen&#x2F；112180302735030319</a><a href=“https://；&#x2F；github.com&#x2F！google&#x2F：oss-fuzz&#x2F，pull&#x2F…10667”>https://&#x2F；github.com&#x2F；谷歌&#x2F；oss模糊；pull-；10667</a><p>但幸运的是，有一些意外发现：“；在对postgres更改进行基准测试时，我意外地发现了一个安全问题&quot<a href=“https://；&#x2F；mastodon.social&#x2F：@AndresFreundTec&#x2F！112180083704606941”rel=“nofollow”>https://&#x2F；mastodon.social@AndresFreundTec&#x2F；112180083704606941</a>

dang: Related ongoing threads:<p><i>Xz: Disable ifunc to fix Issue 60259</i> - <a href="https://news.ycombinator.com/item?id=39869718">https://news.ycombinator.com/item?id=39869718</a><p><i>FAQ on the xz-utils backdoor</i> - <a href="https://news.ycombinator.com/item?id=39869068">https://news.ycombinator.com/item?id=39869068</a><p><i>Everything I Know About the XZ Backdoor</i> - <a href="https://news.ycombinator.com/item?id=39868673">https://news.ycombinator.com/item?id=39868673</a>

dang: 相关正在进行的线程：<p><i>Xz:禁用ifunc以修复问题60259</i>-<a href=“https:&#x2F；新闻.ycombinator.com&#x2F？id=39869718”>https:&#x20F&#x2F；news.ycombinator.com&#x2F；项目id=39869718</a><p><i>xz utils后门常见问题</i>-<a href=“https:&#x2F；&#x2F！news.ycombinator.com&#x2F？项目？id=39869068”>https:&#x20F&#x2F；news.ycombinator.com&#x2F；项目id=39869068</a><p><i>我所知道的关于XZ后门的一切</i>-<a href=“https://F；&#x2F；news.ycombinator.com/x2F；item？id=39868673”>https://&#x2F；news.ycombinator.com&#x2F；项目id=39868673</a>

bonyt: For those panicking, here are some key things to look for, based on the writeup:<p>- A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you're not on a rolling release distro, your version is probably older.<p>- A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.<p>- Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.<p>Debian testing already has a version called '5.6.1+really5.4.5-1' that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.<p>It is possible there are other flaws or backdoors in liblzma5, though.

bonyt: 对于那些惊慌失措的人来说，根据本文的内容，以下是一些关键内容：<p>-liblzma5.5.6.0或5.6.1的最新版本。这是在上个月左右添加的；不是在滚动发行版上，你的版本可能更旧<p> -x86_64上基于debian或RPM的Linux发行版。显然，这是为了让逆向工程变得更加困难，当在deb或rpm封装之外构建时，它似乎并不适用。它也是Linux特有的<p> -从systemd运行OpenSSH sshd。一些发行版修补的OpenSSH只引入了用于日志记录功能的libsystemd，这引入了受损的liblzma5；Prog+实际上是5.4.5-1-；这实际上是一个旧的5.4版本，用一个新版本重新打包，以说服apt它实际上是一次升级<p> 不过，liblzma5中可能还有其他缺陷或后门。