My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.

But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?

  • Jimmycrackcrack@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    I’m still confused exactly what the circumstances would be where this worked as the attacker intended. Would simply having the infected liblzma version on the system create the vulnerability or does something have to happen to invoke it and then what? What’s he chain of events that would have happened had this worked perfectly and gone undetected? I tried to read some of the more detailed analysis but the stuff went way over my head.

    Also, what about Mac OS? Can the package create any vulnerability there if installed via homebrew as it’s reported to have done in some cases? Or is that environment also not right for it to work?

    • neatchee@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      9 months ago

      Here’s how it was intended to work:

      • debian, fedora, or another RPM-based distribution updates references to liblzma to 5.6.x in their latest release
      • the package repository is updated (usually through automation) by getting the infected tarball and compiling it into an RPM or DEB which is added to the repo
      • if the package is built using glibc and the gnu linker, and for a system that uses systemd, the exploit is enabled during compilation of the x86-64 version of the package; otherwise the result is normal
      • when an application is installed that depends on liblzma, possibly during OS installation itself, the infected RPM/DEB package from the package repository is downloaded and installed (assuming the system matches the requirements above)
      • in this particular case, OpenSSH was the primary target; if the attacker wanted to, it could have targeted any web-facing service that uses liblzma such as OpenSSL + Apache/nginx, etc
      • when the OpenSSH server is started on an infected system, it loads the infected liblzma binary
      • the attacker starts an SSH connection to the infected server, having already known about the server or by scanning the internet for visible ssh servers
      • during creation of the SSH connection, the user has the option of trying to sign in using an RSA key. The attacker uses a specially formed RSA key only available to the attacker that also contains a chunk of code (the “payload”) that they want executed on the server
      • liblzma is utilized to compress data in transit; when the infected liblzma decompresses the RSA key on the server, the exploit recognizes the attacker’s special RSA key and executes the payload on the host system. Otherwise, the ssh session continues as normal

      This would not impact MacOS because you couldnt install the infected package, since it is only ever built for debian or RPM-based systems running systemd, using glibc and the gnu linker, and for x86-64. Unless I’m misunderstanding something, there is no way to get the compiled binaries that are infected to work on a MacOS system

      Additionally, I should note that I’m not exactly an expert on this stuff; I’m just in the security space and have been reading about this as it happens, so it’s possible there are errors in my understanding. But that should at least give you the gist of the attack

      • NeatNit@discuss.tchncs.de
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Thank you! I believe this is what the OP was asking, and it’s definitely what I wanted to know :)

        Do we know what the payload is?

        • neatchee@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          9 months ago

          Arbitrary. It could be whatever they wanted at any time. This was a full on remote code execution (RCE) exploit. And baking it into an RSA key is pretty novel

          And you’re welcome :)