Filippo Valsorda: "I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis

[doginventer]

Filippo Valsorda: "I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). It's RCE, not auth bypass, and gated/unreplayable." — Bluesky

https://bsky.app/profile/filippo.abyssd ... wjkx2njy2b

[shewhomustbeobeyed]

I can't get this app to work. I'd need a bunch of mansplaining to understand it, anyways. Got any techtard explanations handy?

[doginventer]

I can't get this app to work. I'd need a bunch of mansplaining to understand it, anyways. Got any techtard explanations handy?

I just click on the link and it comes up.
If it were blocked by territory I would have thought I’d be in line for that being in the UK.
I assume there could be something in your vpn/adblock or suchlike software but I’m afraid that’s about as far as my‘splaining goes on this :(

Calling all techys!!!

[doginventer]

Post

Filippo Valsorda
filippo.abyssdomain.expert

Follow
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

Filippo Valsorda filippo.abyssdomain.expert
·
4d
This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.

Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Mar 30, 2024 at 17:13
286 reposts
665 likes

9

286

665


Filippo Valsorda filippo.abyssdomain.expert
·
3d
The payload is extracted from the N value (the public key) passed to RSA_public_decrypt, checked against a simple fingerprint, and decrypted with a fixed ChaCha20 key before the Ed448 signature verification.

2

5

71

Filippo Valsorda filippo.abyssdomain.expert
·
3d
RSA_public_decrypt is a (weirdly named) signature verification function. www.openssl.org/docs/manmast...

(Why "decrypt"? RSA sig verification is the same op of RSA encryption. 🤷‍♂️)

1

1

50

Filippo Valsorda filippo.abyssdomain.expert
·
3d
The RSA_public_decrypt public key can be attacker-controlled pre-auth by using OpenSSH certificates.

OpenSSH certs are weird in that they include the signer's public key. OpenSSH checks the signature on parsing. github.com/openssh/open...

1

3

50

Filippo Valsorda filippo.abyssdomain.expert
·
3d
Here's a script by Keegan Ryan for sending a custom public key in a certificate, which on a backdoored system will reach the hooked function.

gist.github.com/keeganryan/a...

1

4

55

Filippo Valsorda filippo.abyssdomain.expert
·
3d
Apparently the backdoor reverts back to regular operation if the payload is malformed or the signature from the attacker's key doesn't verify.

Unfortunately, this means that unless a bug is found, we can't write a reliable/reusable over-the-network scanner.

8

14

121

Filippo Valsorda filippo.abyssdomain.expert
·
2d
To clarify, by “gated” I mean it takes the attacker’s private key to use the backdoor (it’s NOBUS); by “unreplayable” I mean that even if we observe an attack against one host, we can’t reuse it against another host (the attacker’s signature is bound to the host public key, but not to the command).

3

4

55

KNOX jrknox.bsky.social
·
1d
Is there someplace we can still download it for analysis?




Don dkileen.bsky.social
·
2d
Thank you for sharing! It’s one of the several redeeming qualities of this community.



1
calestyo.bsky.social calestyo.bsky.social
·
2d
Is it already known with certain confidence, whether any version of the backdoor automatically pulled in exploit code from remote on it's own?
IOW, are people that had compromised versions, but whose sshd was either not running or behind a firewall guaranteed to be safe and not further compromised?

1


2

Filippo Valsorda filippo.abyssdomain.expert
·
2d
No evidence of it calling home so far

1


6
calestyo.bsky.social calestyo.bsky.social
·
2d
*If*, eventually it could be confirmed beyond doubt, and also that the malware code caused no other infestation of the system and only affected sshd, we might be lucky this time.
- most servers likely run stable versions that weren't compromised
- most laptops have no sshd or at least no open one

1


1
calestyo.bsky.social calestyo.bsky.social
·
2d
I'm still surprised though, if they really didn't call home to take full control.

Maybe, though, the adversary wanted to keep this very low profile.

In any case, please keep us informed if there should be any new findings or confirmations, on whether people can feel safe :-)
Thanks!




Vinay Kulkarni skibum.bsky.social
·
3d
It's a wild one indeed! Incredibly lucky that Andres Freund caught it when he did! IMHO, ZeroTrust + defense in depth strategy combined with good anomaly detection and continuous monitoring is probably the only practical option to mitigate risks, and contain any damage from such motivated actors!



4

fellipec.bsky.social fellipec.bsky.social
·
3d
Beloved, I'm so glad this was caught. Would be a nightmare if it went into production

2


2

-thh thh.name
·
2d
And it may have have been targeted on Ubuntu Noble and Fedora Linux 40 releases.




sage whitemage.co
·
3d
Thanks for sharing!




Peter E. AKA Say10 pelsner.bsky.social
·
3d
Yup. Only got caught because someone noticed ssh running slow.
😁



12

Hannah is probably online 🟢 hannah.the-void.social
·
3d
It's been wild telling non-tech friends about this. I don't think any of them truly grasp how cataclysmic this is.

Hannah is probably online 🟢 hannah.the-void.social
·
4d
"if you can't downgrade, kill sshd" is one of those sentences where people either don't know what it means or they have somewhere they very suddenly need to be as soon as possible.

2

5

54

A.B. begrudginglyyeast.bsky.social
·
2d
I cannot help but wonder how many other things like this there are that just have not been found.

1



Hannah is probably online 🟢 hannah.the-void.social
·
2d
I can't find a link, but did you see how this was found? it was absolutely tripped over by someone going "that's weird" about a latency increase

2


Jimmy jimmythefly.bsky.social
·
23h
This, I believe: www.openwall.com/lists/oss-se...

[shewhomustbeobeyed]

you sweet thang! I found the archive - https://archive.is/d2zgi
Still don't understand what's going on here, tho.
@SearchVoat I need EILI5 mansplain, please.