Xz sshd backdoor collecting usernames from logs

143 points by babuskov 1 year ago | 10 comments
  • unethical_ban 1 year ago
    Unrelated to the quality of the content:

    This is not a new vuln. Nothing is actively occurring.

    • 1 year ago
      • AshamedCaptain 1 year ago
        > The author(s) of the backdoor went a long way to make the backdoor look as innocent as possible.

        No, not really. The technical part of this backdoor is not interesting at all. Obfuscating strings? Give me a break. That's something your average commercial developer does. It wouldn't even qualify as DRM. Wake me up when the software is self-modifying and/or written in a way that makes IDA crash (seen it a lot, and I am not a security engineer).

        "Innocent as possible" would be the something like that Debian weak keys fiasco, or the misleading indentation patch, etc. Those offer much more plausible deniability than this. "Innocent as possible" and interesting technical-wise would be something like the NIST curves. Decades from now people will still be arguing if they are backdoored or not.

        The interest in this exploit is on the community/supply side of things, but hardly the technical aspects.

        • paran0ia 1 year ago
          Isn’t it self-modifying in a way? To my understanding code is injected by unpacking the binary test files and injecting right before build?
          • mrob 1 year ago
            "Self-modifying" means modifying code at runtime.
          • tiagod 1 year ago
            From the article: "There is more another function that dynamically modifies code, but that is horrible for reversing – perhaps later ?"
          • squigz 1 year ago
            Title is "The amazingly scary xz sshd backdoor" which is... dramatic
            • yjftsjthsd-h 1 year ago
              Is it? I would describe any backdoor in sshd as amazingly scary.
              • squigz 1 year ago
                I wouldn't, as it doesn't seem to add anything to a professional discussion about it. Imagine a doctor describing some advanced cancer as "amazingly scary"
            • SubiculumCode 1 year ago
              Looks like the site is slowing down: This is the primary source: https://www.openwall.com/lists/oss-security/2024/03/29/4
              • thenewwazoo 1 year ago
                That's the original report. This article is further inspection of the payload, dating from April 1.