oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Sat, 30 Mar 2024 10:23:49 +0100
From: Matthias Weckbecker <matthias@...kbecker.name>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

On Fri, Mar 29, 2024 at 12:19:26PM -0700, Andres Freund wrote:
> Hi,
>

Hi Andres,

> On 2024-03-29 19:44:05 +0100, Matthias Weckbecker wrote:
> > I've attached a yara rule to detect the *.o droplet you attached in the
> > email (liblzma_la-crc64-fast.o.gz).
>
> Unfortunately xz 5.61 added further obfuscations, making it harder to
> detect. Should have made it clearer that the attached .o was from 5.60. Among
> others 5.61 removed the two symbols you're checking against here.  That's why
> Vegard's script looks for a specific instructions sequence, but obviously is
> also more obscure :/
>

Yes, all correct. For this you'll have to match characteristic sequences
of instructions. I've attached a yara rule for this as well.

> Regards,
>
> Andres

Thanks,
Matthias

View attachment "CVE-2024-3094-p.yara" of type "text/plain" (863 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.