Unveiling the xz Utils Backdoor which deliberately opens our SSH connections for RCEs
Vložit
- čas přidán 9. 09. 2024
- In the latest liblzma update, a trusted bad actor called 'JiaT75' implemented a backdoor which allows RCE (sending calls to system()) on ssh connections. Here I'm looking into the case and explaining how it works.
Links:
- AndresFreundTec on Mastodon: mastodon.socia...
- openwall email: www.openwall.c...
- debian repo: salsa.debian.o...
- Filippo Valsorda on bsky: bsky.app/profi...
God bless we have open source developers CURIOUS enough to pull the thread of a 0.5 second ssh slowdown until it unravels, not merely to shrug and think 'huh computer must be acting a little slow today whatever'
An 0,5s slowdown is actually tremendous. But nobody pays attention to that detail.
WOW amazing how you explained it, step by step BUT explained the little things average person wouldnt know. THANKS!
You're very welcome!
This should be a gut check to the open source community.
Everyone should take time to review all components of their respective projects. Yes... everyone.
Considering the complexity of this compromise (including the time spent to social engineer the project team), it plausible that this kind of attack may have been successful in other projects.
Best explainer so far 🎉 good on you
Glad it was helpful!
Thanks for the explanation.
for someone to go this length to put a backdoor,I don't think it be a person or even small groups of people this was definitely from a larger entity 😑
My blind guest is also a nation state level attack
@@geekingjadi yeah I guess that so 🤔
lm thinking ,maybe there be other backdoors like this which still not been found! What’s your opinion?
Ya our government. I’ve seen this attack done and I’ve also analyzed the code. It’s a government back door 100%
@@iilliya8ssh is obviously a primary target to allow access but I hope that they will look around in case similar attacks have been included anywhere else
Makes you wonder how many others there maybe
Thanks to YT Recommendation for showing this channel !
Thanks for coming
Very nice video! Good explanation, was able to follow along even if I didn't have knowledge on some of the things that were mentioned
Glad it was helpful! And if you knew everything in the video, it was a waste of time to watch :) and if you grasped 100% of it in one go, you were not learning much. The best learning is when you learn some new things and have a glance on some other stuff which you may learn about in the future.
Tests and benchmarks save the day 😄This could add to the good reputation of tests and benchmarks :)) Great stuff Jadi. The content is great 👍
Very true!
The exploit literally was hidden in the tests, this does not add to the reputation of tests.
@@AlexanderTrefz How come? It's not about the test files, environment, or functions, it's about the act of "testing" itself.
best explanation by far regarding this issue so far, keep it up!
Awesome, thank you!
Wow, superb explanation. Subscribed!
Awesome, thank you!
Interesting and cool content, Thanks Jadi!👍
Glad you liked it!
LOVED THIS!!! Super interesting. More and more videos like this please! Checking on the CVE s and stuff like that! To me it sounds more like I'm in a hackerish movie having the same journey with you. Pretty informative and entertaining video. Thanks.
Great explanation Jadi
so basically he was using the infected xz library which was injected to ssh initialization method to literally login into every single server which is using key-based authentication on their ssh? tbh he was about to land a very historical attack, but fortunately he was unlucky enough to get caught fast
This was a remote code execution attack. And yes.. would be a historical access to all servers if found it's way to major distros unnoticed
VERY very GOOD video
Yes I have heard about this. I am a Linux user who changed to Linux two years ago after Microsoft stopped support for Windows 8. On Windows we would just install an anti virus program and scan our computer with that. We also had Windows Firewall. Maybe we will have to start using anti virus on Linux. There are anti virus programs for Linux as well as Firewalls. I am a bit surprised that no one has suggested this.
In most cases anti viruses are used on Linux to detect windows based viruses on share files, emails, ... . On Linux we trust our distro and the fact that no virus can not just spread to servers as it does in the windows world. Firewalls are also there, deep in the OS (iptables).
lol on windows your antivirus is the virus, and the backdoors are built in to windows by some upset employee. Since no one can look at closed source code, the back doors go eternally undiscovered. Antivirus can't stop what it doesn't know, and it can't analyze that which has greater authority (the OS itself). The reason why you are hearing about this is because this is open source. You would not hear about it if it was closed source, you would just quietly get violated. After all, who would look into a half second delay on windows?
The Linux version of “antivirus” is that it’s open source and the holes get patched quickly, thus utterly negating the virus. It’s a completely different paradigm.
My guess with lang is that gettext lookups help obscure or enable the backdoor's behaviour. I don't know gettext, but I imagine it does some addressing magic to make translation lookups fast.
Also, from what I read, xz is loaded because systemd uses it
Right right.. thanks for adding this. forgot to mention it. Will thumbs up so people will see it
Very well explained👏🏻
Thank you 🙂
The video was exciting and interesting 👌🏼
Glad you enjoyed it!
🔥
I dont understand how they made the tarball different to the upstream repo .. its not like he had access to github itself
It looks like an autoconf rule to make it not include the backdoor rather than the tarballs actually differing?
I have not checked this personally because the xz repo is not public / accessible anymore. but consider these points: 1. github tarballs can be uploaded separately. So you can have code in your tarball which is not in your git. 2. The malicious code was in a "test" file and was summoned using a m4 file.
great as always
Thank you! Cheers!
but now some bad actors just learned some really neat tricks heh
Thank you 😊
You're welcome 😊
The irony that the fellah that found this works for MS isn't lost on me.
right :) the irony.
Danke 😁
this should serve as a PSA, no binaries should ever be committed to open source, never in the codebase itself.
nice
Thank you for explaining this. this was super exciting.
Unrealted, but can you mention what Pen tool you are using? Hardware/Software
Sure thing! Its a super old bamboo from wacom. So old that the driver wont works on Mac anymore and needs patching. the software under mac is Screenbrush and under linux I use gromit-mpx
What I find most ABSURD about this is that practically NOBODY anywhere pays due attention to; HOW was it possible to see something like a failure where EVERYONE was blindly ignoring, TIME.
The guy who discovered this flaw said: "I noticed an unusual delay in access... I ran a checking program and saw that there was an increase of 300 ms."
NOBODY talks about it, no one cares and right now what must be backdoors are being hastily explored before they are blocked.
FOR LOVE.
انگلیسیت خیلی کیوته جادی 😍
Is it possible to automatically diff every source tarball and the github contents and look for what could be extra lines in any of the other tens of thousands of packages being built?
yes. but it will be 1000s of lines of code. in this case, the distros are trusting the "trusted" packages... In some countries the state do have a "recommended" distro which is checked by auditors. But they should be using older versions of everything.
just curious.... why would large organizations be using operating systems that get updates from open source git repositories? maybe im understanding this attack wrong just curious if you dont mind educating me
Whats the other choice? Otherwise they have to use an operating system which they do not know anything about its source code / programmers / ... . If someone is doing something super critical, they have to have their own GNU/Linux distro and audit all the code they use. This means 1. a super minimal distro and 2. using the older software and 3. lots of expenses.
Is it possible to use AI to fingerprint the malicious script? Like, look at the way they use line breaks, spacing, indentation, quirks and ideosyncracies, to extract a fingerprint and use that to link to other scripts that use the same 'hand'?
currently AI can’t reliably detect sometimes even basic patterns. It’s also very prone to giving false positives. Catching stuff like that is very high level digital forensics. Maybe a specific AI developed to recognize those patterns and trained to recognize those patterns could in a few years. But it would only be used as a compass and not a metal detector
AI works based on seen patterns / lots of samples. Your idea already works on things like "recognizing the vandalism on wikipedia" but we do not have enough/alot of samples in programming yet... so as @johncarlson2632 said, it is possible to train an AI, but there will be lots of false positives. And.... in this case, the person with high privileges has done this... he would disable / bypass the AI too.
you are just better
what are you using for the writing?
on the screen you mean? screenbrush under Mac & gromit-mpx under Linux
how do you draw on screen to take notes?
Screenbrush on Mac, gromit mpx on Linux
It scape detection for almost 2 years, until some unique developer locked into the strange execution delay in milliseconds (most people wouldn’t care much).
Meaning, this could have been going for much longer (if was not for that odd developer), bleeding heart hack is just another example. That is, millions of lines of code, trowing thousands or million of man looking at that millions lines of code doesn’t mean every bug or every hack will be detected.
I heard from a certain internet personality that there is/was supposed an unprecedented worldwide cyber attack on the financial system this year and this would serve as the pretext to roll out a very different regime. For example requiring ID to go online among other things. I wonder....
The great thing about vague prophecy is that it can claim credit for predicting whatever random thing happens next.
@@glarynth Unprecedented cyber attack on the global financial system some time in 2024 that ushers in identification requirements online among other things. Yeah I can see how that's vague and imprecise. That could mean anything. What degree of power would this entity have had, had this hack been successful? I doubt very much.
@@glarynth Unprecedented cyber attack on the global financial system some time in 2024 that ushers in identification requirements online among other things. Yeah I can see how that's vague and imprecise. That could mean anything. What degree of power would this entity have had, had this hack been successful? I doubt very much.
خیال کردم از این ویژگی های جدیده یوتوبِ که جادی انگلیسی شده، بعد دیدم نه واقعا انگلیسی صحبت میکنه :)) کمی عجیب به نظر میاد. گریت ویدیو تنکس.
so even code bros are not safe on the internet
it's a huge lol
Anonymous
the fact that repos are moderated by individuals makes the whole echo system unreliable.
Right. Another critical, single point of failure attack vector
just curious.... why would large organizations be using operating systems that get updates from open source git repositories? maybe im understanding this attack wrong just curious if you dont mind educating me
@@Noname23489 This is how life was going before, but i don't think it will be anymore, just like before and after 9/11, going to security checks has changed forever.
stop repeating the same stuff 3-4 times with different words, it gets tiring
thanks for the hint. will try.