backdoor XZ
Without a doubt The case of the backdoor that was detected in the XZ utility is one of the cases that will go down in the history of Linux and it is not for nothing, but all the work done by Jia Tan It is one of the best examples of applied social engineering, since the work carried out is undoubtedly to be admired for the amount of time invested, since we are not talking about weeks or months, at least two years.
This case has attracted the attention of many and reverse engineering analysis has begun, which according to their preliminary results reveal the presence of a backdoor embedded in liblzma as part of a campaign to infiltrate the XZ package. This backdoor is specifically designed to affect x86_64 systems with the Linux kernel and the Glibc C library, where an additional patch is applied to sshd to link it with libsystemd.
The researchers mention that It was initially believed that the backdoor could bypass sshd authentication and gain access to the system via SSH, but further analysis revealed that the backdoor allows execution of arbitrary code on the system without leaving traces in the sshd logs.
The RSA_public_decrypt function is intercepted by the backdoor to verify the host's signature using the fixed key Ed448. If the verification is successful, the code transmitted by the external host is executed using the system() function before sshd resets privileges. The code data to be executed is extracted from the “N” parameter passed to the RSA_public_decrypt function and verified and decrypted using the predefined key ChaCha20.
To activate the backdoor in sshd, uses the standard host key exchange mechanism and responds only to the key prepared by the attacker and corresponding to the predefined fixed key Ed448. If the public key signature verification fails or if the integrity of the execution data is not confirmed, the backdoor returns control to standard SSH functions.
The attacker's private key remains unknown, making it impossible to implement a verification code to activate the backdoor from external sources or to develop a scanner that detects compromised hosts on the network. However, the researchers have developed a script that shows how a public key can be substituted in an OpenSSH certificate transmitted by an SSH client, which is processed by the RSA_public_decrypt function intercepted by the backdoor
In addition, Researchers discovered the existence of a mechanism to neutralize the backdoor (killswitch) on the local system by setting an environment variable before starting sshd. There has also been a detailed analysis of shell builds used to confuse the process of extracting an object file with a backdoor and replacing it in the library liblzma.
During the compilation of the XZ package, some code was executed from the script «build-to-host.m4» that manipulated a test file and made certain changes to the characters and transformed it into an intact file, from which the shell script was extracted. The resulting shell script was able to gradually extract another shell script from the content, skipping certain sequences with the commands and replacing characters.
As a result of this process, a rather complex and extensive shell script was created that directly extracted the file with the backdoor from the good-large_compressed.lzma file, decrypted it, and inserted it into liblzma. This script also included an implementation of the plugin mechanism, which allowed additional executable components to be delivered later by placing new test files without altering good-large_compressed.lzma and bad-3-corrupt_lzma2.xz, using a signature lookup. The code also incorporated a decryptor based on the RC4 algorithm, implemented in the AWK language.
On the other hand, it is worth mentioning that based on the incident, A set of tools called xzbot has been developed, including:
- A honeypot to create fictitious servers that pretend to be vulnerable to detect connection attempts by attackers.
- A patch to replace the public key on the backdoor inside liblzma.so with your own (to connect to the backdoor using the corresponding private key).
- A demo to initiate code execution on a modified backdoor using the corresponding private key.
If you are interested in being able to know more about it, you can check the details in the following link.