Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 31 Mar 2024 22:25:02 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

On Mon, Apr 01, 2024 at 03:13:39AM +0900, Dominique Martinet wrote:
> Michael.Karcher wrote on Sun, Mar 31, 2024 at 07:13:35PM +0200:
> > You can find this script (and possibly other stuff I found interesting later)
> > at https://github.com/karcherm/xz-malware .
> 
> This list requires that the content is made available in messages
> themselves and not just links, so I've copied the README below

Thank you both.

>  b00: 'yolAbejyiejuvnup=Evjtgvsh5okmkAvj\x00'

For those wondering about this cryptic string, it was previously
determined to be the backdoor's "kill switch".  If put in the
environment before sshd startup, the backdoor becomes inactive:

https://piaille.fr/@zeno/112185928685603910

There's further analysis of the binary payload here:

https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504

I've attached the gist .md file above (as of "Revisions 52") to this
message, but it's ongoing analysis as seen in the comments.

Alexander

View attachment "backdoor_analysis.md" of type "text/plain" (13067 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.