【Hacker News搬运】XZ后门:“这是RCE,不是身份验证旁路,并且是门控的/不可修复的。”
-
Title: XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable."
XZ后门:“这是RCE,不是身份验证旁路,并且是门控的/不可修复的。”
Text:
Url: https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
很抱歉,我尝试抓取指定URL的内容时遇到了问题,因为该URL返回了405状态码,这意味着请求不被允许。通常,这可能是因为网站不允许自动化工具访问其内容。如果您有其他URL或其他请求,我可以尝试再次帮助您。Post by: junon
Comments:
tigerlily: As a <i>de facto</i> maintainer of an obscure open source game, I see devs come and go. I just merge all the worthwhile contributions. Some collaborators go pretty deep with their features, with a variety of coding styles, in a mishmash of C and C++. I'm not always across the implementation details, but in the back of my mind I'm thinking, man, anyone could just code up some real nasty backdoor and the project would be screwed. Lucky the game is so obscure and the attack surface minuscule, but it did stop me from any temptation to sign Windows binaries out of any sense of munificence.<p>This xz backdoor is just the most massive nightmare, and I really feel for the og devs, and anyone who got sucked in by this.
tigerlily: 作为一个不知名的开源游戏的<i>事实上的</i>维护者,我看到开发者来来往往。我只是把所有有价值的贡献合并在一起。一些合作者非常深入地研究了他们的功能,使用了各种编码风格,将C和C++混合在一起。I-;我并不总是了解实现细节,但在我的脑海中,我;我在想,伙计,任何人只要编一个真正讨厌的后门,这个项目就会搞砸。幸运的是,这个游戏如此晦涩,攻击面也很小,但它确实阻止了我出于任何慷慨的考虑签署Windows二进制文件的诱惑<p> 这个xz后门只是最可怕的噩梦,我真的很同情og开发者,以及任何被它吸引的人。
junon: EDIT: Here's some more RE work on the matter. Has some symbol remapping information that was extracted from the prefix trie the backdoor used to hide strings. Looks like it tried to hide itself even from RE/analysis, too.<p><a href="https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504" rel="nofollow">https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9...</a><p>Full list of decoded strings here:<p><a href="https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01" rel="nofollow">https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01</a><p>--<p>For someone unfamiliar with openssl's internals (like me): The N value, I presume, is pulled from the
nfield ofrsa_st:<p><a href="https://github.com/openssl/openssl/blob/56e63f570bd5a479439bc6f6a2499f6b86ded341/crypto/rsa/rsa_local.h#L62C5-L62C12">https://github.com/openssl/openssl/blob/56e63f570bd5a479439b...</a><p>Which is aBIGNUM:<p><a href="https://github.com/openssl/openssl/blob/56e63f570bd5a479439bc6f6a2499f6b86ded341/crypto/bn/bn_local.h#L245">https://github.com/openssl/openssl/blob/56e63f570bd5a479439b...</a><p>Which appears to be a variable length type.<p>The back door pulls this from the certificate received from a remote attacker, attempts to decrypt it with ChaCha20, and if it decrypts successfully, passed tosystem(), which is essentially a simple wrapper that executes a line of shellscript under whichever user the process is currently executing.<p>If I'm understanding things correctly, this is worse than a public key bypass (which myself and I think a number of others presumed it might be) - a public key bypass would, in theory, only allow you access as the user you're logging in with. Assumedly, hardened SSH configurations would disallow root access.<p>However, since this is an RCE in the context of e.g. an sshd process itself, this means that sshd running as root would allow the payload to itself run as root.<p>Wild. This is about as bad as a widespread RCE can realistically get.junon: 编辑:此处;在这件事上还有一些RE工作。具有一些符号重映射信息,这些信息是从前缀trie中提取的,trie是用于隐藏字符串的后门。看起来它甚至试图隐藏自己以躲避RE•;分析也是如此<p> <a href=“https://;/;gist.github.com#xx2F;smx-smx/:a6112d54777845d389bd7126d6e9f504”rel=“nofollow”>https:///;gist.github.com/;smx-smx-x2F;a6112d54777845d389bd7126d6e9…</a><p>此处解码字符串的完整列表:<p><a href=“https://;/;gist.github.com/!q3k/:af3d93b6a1f399de28fe194add452d01”rel=“nofollow”>https:///;gist.github.com/;q3k;af3d93b6a1f399de28fe194add452d01</a><p>对于不熟悉openssl的人来说;s的内部(和我一样):我认为N值是从
rsa_st的N字段中提取的:<p><a href=“https://;/;github.com/:openssl/,opensslȏ;blobȏ:56e63f570bd5a479439bc6f6a2499f6b86ded341//;github.com/;openssl;openssl;blob;56e63f570bd5a479439b</a> <p>哪一个是“BIGNUM”:<p><a href=“https://;/;github.com#xx2F;openssl#xx20F;blob#xx2F:56e63f570bd5a479439bc6f6a2499f6b86ded341#xx2f;crypto#xx2F!bn_local.h#L245”>https:///;github.com/;openssl;openssl;blob;56e63f570bd5a479439b</a> <p>这似乎是一个可变长度类型<p> 后门从远程攻击者收到的证书中提取该证书,试图用ChaCha20对其进行解密,如果解密成功,则将其传递给“system()”,这本质上是一个简单的包装器,在进程当前执行的任何用户下执行一行shell脚本<p> 如果I-;我理解得很正确,这比公钥绕过(我和我认为许多其他人都认为可能是这样)更糟糕——理论上,公钥绕过只允许你作为用户访问;使用重新登录。假设,强化的SSH配置将不允许root访问<p> 然而,由于这是例如sshd进程本身上下文中的RCE,这意味着以root身份运行的sshd将允许负载本身以root身份进行运行<p> 狂野。这几乎是一个广泛的RCE所能达到的最糟糕的程度。sgammon: There appears to be a string encoded in the binary payload:<p><a href="https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115" rel="nofollow">https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01...</a><p>Which functions as a killswitch:<p><a href="https://piaille.fr/@zeno/112185928685603910" rel="nofollow">https://piaille.fr/@zeno/112185928685603910</a><p>If that is indeed the case, one mitigation might be<p>
<p>echo "yolAbejyiejuvnup=Evjtgvsh5okmkAvj" | sudo tee /etc/environment<p>sgammon: 二进制有效载荷中似乎有一个编码的字符串:<p><a href=“https:/;#x2F;gist.github.com/!q3k/:af3d93b6a1f39de28fe194add452d01#file-hashes-txt-L115”rel=“nofollow”>https:ȏ/;gist.github.com/;q3k;af3d93b6a1f399de28fe194add452d01…</a><p>用作killswitch:<p><a href=“https://;/;piaille.fr/!@zeno/:112185928685603910”rel=“nofollow”>https:///;piailer.fr/@zeno;112185928685603910</a><p>如果确实是这样的话,一种缓解措施可能是<p>“<p>echo”;yolAbejyiejuvnup=Evjtgvsh5okmkAvj“|sudo tee/;等等;环境<p>```
sega_sai: One have question on this is, if the backdoor would not been discovered due to performance issue (which was as I understood it purely an oversight/fixable deficiency in the code), what are the chances of discovering this backdoor later, or are there tools that would have picked it up? Those questions are IMO relevant to understand if this kind of backdoor is the first one of the kind, or the first one that was uncovered.
sega_sai: 有一个问题是,如果由于性能问题(据我所知,这纯粹是代码中的疏忽和可修复缺陷)而没有发现后门,那么以后发现这个后门的机会有多大,或者有没有工具会发现它?这些问题与国际海事组织有关,以了解这种后门是第一个,还是第一个被发现的后门。
tevon: Currently if you visit the xz repository it is disabled for violating github's TOS.<p>While it should clearly be disabled, I feel like github should leave the code and history up, while displaying a banner (and disabled any features that could be exploited), so that researchers and others can learn about the exploit.<p>In more minor situations when a library is hosting malicious code, if I found the repo to be down I might not think anything of it.
tevon: 目前,如果您访问xz存储库,它会因违反github而被禁用;的TOS<p> 虽然它显然应该被禁用,但我觉得github应该保留代码和历史记录,同时显示横幅(并禁用任何可能被利用的功能),以便研究人员和其他人了解该漏洞<p> 在更轻微的情况下,当库托管恶意代码时,如果我发现repo关闭了,我可能不会考虑它。