A backdoor affects Linux
Recently the news broke that a backdoor has been identified in the XZ Utils package that allows attackers intercept and modify processed data by applications associated with the liblzma library. The main vulnerability (already cataloged under CVE-2024-3094) It is located on the OpenSSH server, which in some distributions uses the libsystemd library, which in turn depends on liblzma. By linking sshd with a vulnerable version of liblzma, attackers can access the SSH server without authentication.
The discovery from the backdoor in the XZ Utils project occurred after the detection of problems such as excessive CPU consumption and errors generated by valgrind when connecting to Debian sid based systems via SSH. These issues led to a deeper investigation that revealed the presence of the backdoor.
The presumed Backdoor author Jia Tan was an active and respected developer on the xz project, with “co-maintainer” status for several years and significant contributions to the development of several versions. In addition to the xz project, he also contributed to other related packages, such as xz-java and xz-embedded. He was even recently included among the maintainers of the XZ Embedded project used in the Linux kernel.
The malicious change was discovered after complaints about issues with the xz 5.6.0 version, which included the backdoor, such as slowdowns and sshd crashes. The next version, xz 5.6.1, included changes prepared by Jia Tan in response to these complaints, which was possibly a way to cover up the presence of the backdoor.
Furthermore, it is mentioned that Jia Tan made incompatible changes with the “-fsanitize=address” inspection mode last year, which lled to the disabling of fuzz testing at that time. These details suggest that the introduction of the backdoor was a planned and hidden action within the development of the project, which could have compromised an unknown number of users and projects using XZ Utils.
Although this vulnerability affects x86_64 systems based on the Linux kernel and the Glibc C library which includes sshd with libsystemd to support the sd_notify mechanism, Several factors have mitigated the impact. For example, the version of liblzma with the backdoor was not included in the stable releases of large distributions, and some distributions such as Arch Linux and Gentoo used a vulnerable version of xz but are not susceptible to attack due to certain configurations.
It is mentioned that the activation of the backdoor was hidden in m4 macros in the build-to-host.m4 file used during compilation, allowing malicious code to be inserted into the liblzma library. This malicious code modified the operating logic of some functions in the library, facilitating unauthorized access to the SSH server on affected systems.
The process of implementing the backdoor in the XZ Utils package It involved several steps and techniques to hide its presence and activation. m4 macros were used in the build-to-host.m4 file during compilation to introduce the malicious code into the liblzma library. These macros were present in the release tar files, but not in the Git repository, and were added to the .gitignore. Additionally, malicious test files were included in the repository, suggesting privileged access to the release generation process.
The backdoor was activated by executing the command /usr/sbin/sshd and was hidden in undebugged or production environments, avoiding detection on normal terminals. The RSA_public_decrypt function was forged to bypass the sshd authentication process, allowing attackers to gain unauthorized access to the SSH server.
To further hide the presence of the backdoor, protection mechanisms against detection were included and execution was verified in debugging environments. All of this demonstrates an advanced level of planning and technical knowledge on the part of those responsible for the backdoor to evade detection and carry out successful attacks on affected systems.
If you are interested in knowing more about it, you can consult the details In the following link.