User Controls

Navigation

Niggas in Space > Technophiliacs & Technophiles > Linux upstream dependency malware

Linux upstream dependency malware

  1. 2024-04-03 at 7:52 PM UTC
    #1
    Donald Trump Black Hole
    Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
    distributions, and where they have, mostly in pre-release versions.


    == Observing Impact on openssh server ==

    With the backdoored liblzma installed, logins via ssh become a lot slower.

    time ssh nonexistant@…alhost

    before:
    nonexistant@…alhost: Permission denied (publickey).

    before:
    real 0m0.299s
    user 0m0.202s
    sys 0m0.006s

    after:
    nonexistant@…alhost: Permission denied (publickey).

    real 0m0.807s
    user 0m0.202s
    sys 0m0.006s


    openssh does not directly use liblzma. However debian and several other
    distributions patch openssh to support systemd notification, and libsystemd
    does depend on lzma.


    Initially starting sshd outside of systemd did not show the slowdown, despite
    the backdoor briefly getting invoked. This appears to be part of some
    countermeasures to make analysis harder.
    https://www.openwall.com/lists/oss-security/2024/03/29/4

    Thank you. None of these patches are urgent. I'm on a holiday and only
    happened to look at my emails and it seems to be a major mess.

    My proper investigation efforts likely start in the first days of
    April. That is, I currently know only a few facts which alone are bad
    enough.

    Info will be updated here: https://tukaani.org/xz-backdoor/
    https://lkml.org/lkml/2024/3/30/188
    The maintainer of the repo, Lasse Collin, sweede, is on holidays.

    Not much seems to be known about the person who committed the malicious code, Jia Tan.


    It may be a cute asian girl. All the images when you search for Jia Tan are cute asian girls.

    Girls commit to open source ... r-right?
  2. 2024-04-03 at 11:48 PM UTC
    #2
    ner vegas African Astronaut
    lol yeah, people who commit malware always do it using their own name and account

    interesting they added a patch to the makefiles rather than straight up updating the code, seems way more suspicious and like they observed memory locations are going to be different depending on environment, platform etc
  3. 2024-04-07 at 5:42 PM UTC
    #3
    Mighest Houston
    I like Asian girls.

    That's all I have for now.
  4. 2024-04-07 at 5:50 PM UTC
    #4
    Mighest Houston
    Reading up on this, I realize this was actually a very big close call.

    This may have even been a government entity.
Jump to Top