Stream: general

Topic: XZ backdoor

view this post on Zulip Lann Martin (Apr 01 2024 at 16:57):

In case you have managed to avoid tech news for a couple of days, this is important: https://tukaani.org/xz-backdoor/
From one of the linked resources:

TL:DR:

Using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1:
    Using systemd on publicly accessible ssh: update RIGHT NOW NOW NOW
    Otherwise: update RIGHT NOW NOW but prioritize the former
Using another type of distribution:
    With glibc and xz-5.6.0 or xz-5.6.1: update RIGHT NOW, but prioritize the above.

view this post on Zulip Lann Martin (Apr 01 2024 at 16:58):

More relevant to this chat, it is a great example of the hazards of shared-everything linking :smile:

view this post on Zulip Chris Fallin (Apr 01 2024 at 17:00):

and late-binding overly-configurable resolution -- IIRC the exploit uses weird features of ld.so (audit hook? overriding symbols?) to hook into the auth path

view this post on Zulip Frank Rehwinkel (Apr 01 2024 at 17:06):

and allowing binaries in the repo, even test binaries

view this post on Zulip Peter Huene (Apr 01 2024 at 17:13):

i think it uses IFUNCs

view this post on Zulip Peter Huene (Apr 01 2024 at 17:14):

it's really a fascinating journey; a microsoft employee that works on postgres noticed a slightly (in terms of wall clock) slower than normal auth in his sshd and decided to perf it rather than shrug, and here we are

view this post on Zulip Peter Huene (Apr 01 2024 at 17:15):

and luckily done before it hit stable channels in distros

view this post on Zulip Peter Huene (Apr 01 2024 at 17:17):

seemingly years of work by this attacker undone by a dev that said "huh, no symbol for this function in the hot path; i should look into that"

view this post on Zulip Peter Huene (Apr 01 2024 at 17:22):

makes one wonder just how frequently we haven't been so lucky

view this post on Zulip Peter Huene (Apr 01 2024 at 17:32):

also, the attacker was quite sophisticated; i saw one of his commits that was related to "fixing" a check for sandboxing support in xz, which from the commit message and the changes itself seemed entirely plausible, but the test program contained a period in a very hard to spot location which would have caused a failure to compile, disabling the use of the API

view this post on Zulip Frank Rehwinkel (Apr 01 2024 at 17:32):

The best summary I have found is in this blog that will perhaps be kept updated for a while:

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

And the original xz's author's status page, where he says he'll provide updates in the next week:

https://tukaani.org/xz-backdoor/

Yes, the IT community around the world is lucky a Microsoft employee, frequent PostgreSQL contributor, wondered why his ssh was taking a half second to authenticate and he knew how to dig in to figure it out.

And will make one wonder any time a new account is created that immediately starts complaining about things.

view this post on Zulip Thomas Trenner (Apr 03 2024 at 08:15):

Peter Huene schrieb:

it's really a fascinating journey; a microsoft employee that works on postgres noticed a slightly (in terms of wall clock) slower than normal auth in his sshd and decided to perf it rather than shrug, and here we are

It is also an example that it might be good of having micro benchmarks.

Last updated: Nov 22 2024 at 16:03 UTC