• @[email protected]
        61 year ago

        Though unfortunately (or I guess for most use-cases fortunately) you can’t find the malicious m4/build-to-host.m4 file on there afaik. The best way to find that now, should you really want to, is by looking through the commit history of the salsa.debian.org/debian/xz-utils repository which is, as far as I understand it, the repository that the debian packages are built from and consequently also what the compromised packages were built from.

  • @[email protected]
    461 year ago

    A small blurb from The Guardian on why Andres Freund went looking in the first place.

    So how was it spotted? A single Microsoft developer was annoyed that a system was running slowly. That’s it. The developer, Andres Freund, was trying to uncover why a system running a beta version of Debian, a Linux distribution, was lagging when making encrypted connections. That lag was all of half a second, for logins. That’s it: before, it took Freund 0.3s to login, and after, it took 0.8s. That annoyance was enough to cause him to break out the metaphorical spanner and pull his system apart to find the cause of the problem.

  • @[email protected]M
    1011 year ago

    This is informative, but unfortunately it doesn’t explain how the actual payload works - how does it compromise SSH exactly?

    • Aatube
      511 year ago

      It allows a patched SSH client to bypass SSH authentication and gain access to a compromised computer

      • @[email protected]M
        671 year ago

        From what I’ve heard so far, it’s NOT an authentication bypass, but a gated remote code execution.

        There’s some discussion on that here: https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b

        But it would be nice to have a similar digram like OP’s to understand how exactly it does the RCE and implements the SSH backdoor. If we understand how, maybe we can take measures to prevent similar exploits in the future.

        • @[email protected]
          281 year ago

          I think ideas about prevention should be more concerned with the social engineering aspect of this attack. The code itself is certainly cleverly hidden, but any bad actor who gains the kind of access as Jia did could likely pull off something similar without duplicating their specific method or technique.

          • @[email protected]
            131 year ago

            Ideally you need a double-blind checking mechanism definitionally impervious to social engineering.

            That may be possible in larger projects but I doubt you can do much in where you have very few maintainers.

            I bet the lesson here for future attackers is: do not affect start-up time.

            • @[email protected]
              91 year ago

              I imagine if this attacker wasn’t in a rush to get the backdoor into the upcoming Debian and Fedora stable releases he would have been able to notice and correct the increased CPU usage tell and remain undetected.

        • Aatube
          31 year ago

          Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. —Wikipedia, sourced to RedHat

          Of course, the authentication bypass allows remote code execution.

        • @[email protected]
          61 year ago

          I am not a security expert, but the scenario they describe sounds exactly like authentication bypass to a layman like me.

          According to https://www.youtube.com/watch?v=jqjtNDtbDNI the software installs a malicious library that overwrite the signature verification function of ssh.

          I was wondering if the bypass function was designed to be slightly less resource intensive, it probably won’t be discovered and will be shipped to production.

          Also I have mixed feeling about dynamic linking, on the one hand, it allows projects like harden malloc to easily integrate into the system, on the other hand, it also enables the attacker to hijack the library in a similar fashion.

          EDIT: This is a remote code execution exploit, not authentication bypass. The payload is sent as an authentication message and will be executed by the compromised authentication function.

          This means:

          • the payload will be executed as root, since sshd run as root.
          • the payload will leave no trace in login log.

          So this is much worse than ssh authentication bypass.

          • Aatube
            61 year ago

            5.6.1 in fact made it less resources-intensive, but the distro happened to not have updated yet when Freund discovered the backdoor.

          • @[email protected]
            21 year ago

            Authentication bypass should give you interactive access. “I’m in” like. Remote code execution only allows you to run a command, without permanent access. You can use some RCE vulnerabilities to bypass authentication, but not all.

            • @[email protected]
              21 year ago

              Yeah, but the malicious code replaces the ssh signature verification function to let it allow a specific signature. Hence attacker, with the key, can ssh into any system without proper authentication by ssh.

              This kind of describes authentication by-pass, not just remote code execution…

              EDIT: it is remote code execution, see the edit of parent comment.

        • The DoctorEnglish
          81 year ago

          Somebody wrote a PoC for it: https://github.com/amlweems/xzbot#backdoor-demo

          Basically, if you have a patched SSH client with the right ED448 key you can have the gigged sshd on the other side run whatever commands you want. The demo just does id > /tmp/.xz but it could be whatever command you want.

    • @[email protected]
      41 year ago

      There is RedHat’s patch for OpenSSH that adds something for systemd, which adds libsystemd as dependency, which has liblzma as its own dependency.

        • Possibly linuxOPEnglish
          31 year ago

          It is also hard to be certain as they could be a night owl or a early riser.

          • @[email protected]
            11 year ago

            Yeah - The post goes into a lot of detail, and they did take that into account. It’s worth reading.

      • @[email protected]
        281 year ago

        Can’t confirm but unlikely.

        Via https://boehs.org/node/everything-i-know-about-the-xz-backdoor

        They found this particularly interesting as Cheong is new information. I’ve now learned from another source that Cheong isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard) and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses J and especially not Ji). The Tan last name is possible in Mandarin, but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor simply mashed plausible sounding Chinese names together.

          • @[email protected]
            41 year ago

            Could be Chinese creating reasonable doubt. Making this sort of mistake makes explanations that this wasn’t Chinese sound plausible. Even if evidence other than the name comes out, this rebuttal can be repeated and create confusion amongst the public, reasonable suspicions against accusers and a plausible excuse for other states to not blame China (even if they believe it was China).

            Confusion and multiple narratives is a technique carried out often by Soviet, Russian and Chinese government. We are unlikely to be able to answer the question ourselves. It will be up to the intelligence agencies to do that.

            If someone wanted to blame China for this, they would take the name of a real Chinese person to do it. There is over a billion real people they could take a name from. It unlikely that a person creating a name for someone for this type of espionage would make a mistake like picking an implausible name accidentally.

            • @[email protected]English
              21 year ago

              I’m not suggesting one way or another, only that the quoted explanation taken at face value isn’t suggesting China based on name analysis.

              There’s also no reason to assume a nation state. This is completely within the realm of a single or small group of hackers. Organized crime another possibility. Errors with naming are plausible just as the initial mistakes with timing analysis and valgrind errors.

              Even assuming a nation state, you name Russia as a possibility. Russia has shown themselves to be completely capable of errors, in their hacks (2016 election interference that was traced back to their intelligence base), their wars, their assassination attempts, etc.

              And to me it doesn’t seem any more likely that China would point to themselves but sprinkle doubt with inconsistent naming versus just outright pointing to someone else.

              It’s all guesses, nothing points one way or another. I think we agree on that.

              • @[email protected]
                31 year ago

                A big part of it is also letting other people know you did it. China and Russia are big on this. The create dangerous situations, then say they aren’t responsible all while sowing confusion. The want plausible deniability, confusion and credit for doing it.

      • The DoctorEnglish
        21 year ago

        Just because somebody picked a vaguely Chinese-sounding handle doesn’t mean much about who or where.

  • UnityDevice
    971 year ago

    If this was done by multiple people, I’m sure the person that designed this delivery mechanism is really annoyed with the person that made the sloppy payload, since that made it all get detected right away.

    • bobburger
      211 year ago

      I like to imagine this was thought up by some ambitious product manager who enthusiastically pitched this idea during their first week on the job.

      Then they carefully and meticulously implemented their plan over 3 years, always promising the executives it would be a huge pay off. Then the product manager saw the writing on the wall that this project was gonna fail. Then they bailed while they could and got a better position at a different company.

      The new product manager overseeing this project didn’t care about it at all. New PM said fuck it and shipped the exploit before it was ready so the team could focus their work on a new project that would make new PM look good.

      The new project will be ready in just 6-12 months, and it is totally going to disrupt the industry!

      • @[email protected]
        261 year ago

        I see a dark room of shady, hoody-wearing, code-projected-on-their-faces, typing-on-two-keyboards-at-once 90’s movie style hackers. The tables are littered with empty energy drink cans and empty pill bottles.

        A man walks in. Smoking a thin cigarette, covered in tattoos and dressed in the flashiest interpretation of “Yakuza Gangster” imaginable, he grunts with disgust and mutters something in Japanese as he throws the cigarette to the floor, grinding it into the carpet with his thousand dollar shoes.

        Flipping on the lights with an angry flourish, he yells at the room to gather for standup.

  • @[email protected]
    481 year ago

    I think going forward we need to look at packages with a single or few maintainers as target candidates. Especially if they are as widespread as this one was.

    In addition I think security needs to be a higher priority too, no more patching fuzzers to allow that one program to compile. Fix the program.

    I’d also love to see systems hardened by default.

    • @[email protected]
      21 year ago

      This has always been the case. Maybe I work in a unique field but we spend a lot of time duplicating functionality from open source and not linking to it directly for specifically this reason, at least in some cases. It’s a good compromise between rolling your own software and doing a formal security audit. Plus you develop institutional knowledge for that area.

      And yes, we always contribute code back where we can.

      • @[email protected]
        21 year ago

        We run our forks not because of security, but because pretty much nothing seems to work for production use without some source code level mods.

    • @[email protected]
      401 year ago

      In the words of the devs in that security email, and I’m paraphrasing -

      “Lots of people giving next steps, not a lot people lending a hand.”

      I say this as a person not lending a hand. This stuff over my head and outside my industry knowledge and experience, even after I spent the whole weekend piecing everything together.

      • @[email protected]
        51 year ago

        You are right, as you note this requires a set of skills that many don’t possess.

        I have been looking for ways I can help going forward too where time permits. I was just thinking having a list of possible targets would be helpful as we could crowdsource the effort on gitlab or something.

        I know the folks in the lists are up to their necks going through this and they will communicate to us in good time when the investigations have concluded.

    • Amju WolfEnglish
      311 year ago

      Packages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one.

      What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.

    • @[email protected]
      11 year ago

      There’s gotta be a better way to verify programs then just what the devs do. For example patching the fuzzer, that should be seen as a clear separation of duties problem.

      That constant issue of low Dev/high use dependencies is awful and no one I’ve met on the business end can seem to figure out that need to support those kind of people or accept, what should frankly be, legal liability for what goes wrong. This isn’t news its just a cover song. And its not an open source problem, its just a software problem. (

    • @[email protected]
      111 year ago

      no more patching fuzzers to allow that one program to compile. Fix the program

      Agreed.

      Remember Debian’s OpenSSL fiasco? The one that affected all the other derivatives as well, including Ubuntu.

      It all started because OpenSSL did add to the entropy pool a bunch uninitialized memory and the PID. Who the hell relies on uninitialized memory ever? The Debian maintainer wanted to fix Valgrind errors, and submitted a patch. It wasn’t properly reviewed, nor accepted in OpenSSL. The maintainer added it to the Debian package patch, and then everything after that is history.

      Everyone blamed Debian “because it only happened there”, and definitely mistakes were done on that side, but I surely blame much more the OpenSSL developers.

      • @[email protected]
        51 year ago

        OpenSSL did add to the entropy pool a bunch uninitialized memory and the PID.

        Did they have a comment above the code explaining why it was doing it that way? If not, I’d blame OpenSSL for it.

        The OpenSSL codebase has a bunch of issues, which is why somewhat-API-compatible forks like LibreSSL and BoringSSL exist.

        • @[email protected]
          11 year ago

          I’d have to dig it, but I think it said that it added the PID and the uninitialized memory to add a bit more data to the entropy pool in a cheap way. I honestly don’t get how that additional data can be helpful. To me it’s the very opposite. The PID and the undefined memory are not as good quality as good randomness. So, even without Debian’s intervention, it was a bad idea. The undefined memory triggered valgrind, and after Debian’s patch, if it weren’t because of the PID, all keys would have been reduced to 0 randomness, which would have probably raised the alarm much sooner.

  • Aatube
    2401 year ago

    Don’t forget all of this was discovered because ssh was running 0.5 seconds slower

  • @[email protected]
    801 year ago

    I have been reading about this since the news broke and still can’t fully wrap my head around how it works. What an impressive level of sophistication.

    • @[email protected]
      841 year ago

      And due to open source, it was still caught within a month. Nothing could ever convince me more than that how secure FOSS can be.

      • slazer2auEnglish
        81 year ago

        Yea, but then heartbleed was a thing for how long that no-one noticed?

        The value of foss is so many people with a wide skill set can look at the same problematic code and dissect it.

      • Lung
        951 year ago

        Idk if that’s the right takeaway, more like ‘oh shit there’s probably many of these long con contributors out there, and we just happened to catch this one because it was a little sloppy due to the 0.5s thing’

        This shit got merged. Binary blobs and hex digit replacements. Into low level code that many things use. Just imagine how often there’s no oversight at all

        • The QuuuuuillEnglish
          281 year ago

          I was literally compiling this library a few nights ago and didn’t catch shit. We caught this one but I’m sure there’s a bunch of “bugs” we’ve squashes over the years long after they were introduced that were working just as intended like this one.

          The real scary thing to me is the notion this was state sponsored and how many things like this might be hanging out in proprietary software for years on end.

        • @[email protected]
          501 year ago

          Yes, and the moment this broke other project maintainers are working on finding exploits now. They read the same news we do and have those same concerns.

          • @[email protected]
            191 year ago

            I wonder if anyone is doing large scale searches for source releases that differ in meaningful ways from their corresponding public repos.

            It’s probably tough due to autotools and that sort of thing.

          • Lung
            221 year ago

            Very generous to imagine that maintainers have so much time on their hands

            • @[email protected]
              111 year ago

              Bug fixes can be delayed for a security sweep. One of the quicker ways that come to mind is checking the hash between built from source and the tarball

              • Lung
                141 year ago

                The whole point here is that the build process was infiltrated - so you’d have to remake the build system yourself to compare, and that’s not a task that can be automated

  • @[email protected]
    311 year ago

    The scary thing about this is thinking about potential undetected backdoors similar to this existing in the wild. Hopefully the lessons learned from the xz backdoor will help us to prevent similar backdoors in the future.