revealing the features of the XZ backdoor

Low Level Learning
3 Apr 202409:29

Summary

TLDRThe video discusses the recent discovery of a backdoor in the XZ project's liblzma, which allows for remote code execution as root via an SSH certificate with a malicious payload. The community's swift response to the vulnerability is highlighted, emphasizing the importance of security in open-source software and the need for increased vigilance and auditing to prevent such incidents in the future.

Takeaways

  • 🔍 A backdoor was discovered in the open-source XZ project, specifically in liblzma.
  • 🕵️ Community researchers identified the backdoor's behavior and its potential impact.
  • 📡 The backdoor's functionality involves a covert channel triggered by a specific SSH certificate payload.
  • 🔐 The payload must be encrypted and signed with the attacker's ED448 key for the backdoor to activate.
  • 🛠️ Researchers at Google used reverse engineering to understand and expose the backdoor's mechanism.
  • 📝 The video provides a detailed breakdown of the backdoor's operation and its implications.
  • 🖥️ A sandboxed environment was used to demonstrate the backdoor without risking the researcher's network.
  • 🔄 The backdoor's command and control (C2) mechanism was hidden within an SSH certificate authority's signing key.
  • 🔑 A known public key replacement method was used to test the presence of the backdoor in vulnerable systems.
  • 🚀 The XZ bot tool was showcased to interact with the backdoor and execute commands with root privileges.
  • 🌐 The discovery has raised awareness about the vulnerabilities in open-source software and the need for increased security measures.

Q & A

  • What major event happened in the open-source community recently?

    -A backdoor was discovered in the XZ project, specifically in the liblzma component, which has caused significant concern in the security and open-source community.

  • How was the backdoor triggered?

    -The backdoor is triggered through a specific set of data in the key exchange of the SSH connection. It can be activated by connecting with an SSH certificate that contains a payload in the CA signing key, which must be encrypted and signed with the attacker's EDD 448 key.

  • What is the significance of the EDD 448 key in this context?

    -The EDD 448 key is an elliptic curve cryptography key used for signing the payload in the SSH certificate. It ensures that only the attacker who has the associated private key can create and sign the data, allowing the backdoor to verify the authenticity of the command coming from the attacker.

  • How did researchers discover and analyze the backdoor?

    -Community researchers used reverse engineering strategies, including a researcher at Google, to figure out the behavior of the backdoor, its implementation, and the attacker's intentions. They also used a sandboxed environment to protect themselves from potential additional features of the backdoor.

  • What is XZ bot and how is it used in this scenario?

    -XZ bot is a tool that interacts with the backdoor by using reverse engineering strategies. It allows researchers to test the backdoor functionality by replacing the attacker's public key with a known public key that has an associated private key, enabling the execution of commands through the backdoor.

  • How does the backdoor hide its command and control (C2) channel?

    -The backdoor hides its C2 channel within the certificate authorities' signing key value. This data is typically not inspected during a cryptographic key exchange, allowing the attacker to conceal their commands within the normal SSH exchange data.

  • What is the potential impact of this backdoor if not discovered?

    -If the attacker had not been caught, they would have had the ability to execute arbitrary commands on the server as root, since the SSH daemon runs as root. This would provide them with full control over the compromised system, leading to severe security breaches.

  • What steps can be taken to detect if a system is vulnerable to this backdoor?

    -One can use the XZ bot tool to patch an infected LZMA file and binary, replacing the attacker's public key with a known public key. If the string of the attacker's public key is found in the LZMA file or binary, the system is infected and needs to be cleaned.

  • How does the discovery of this backdoor affect the open-source community?

    -The discovery has raised awareness about the potential vulnerabilities in open-source software and has prompted the community to think about preventive measures and solutions to avoid similar incidents in the future.

  • What can individuals and organizations do to protect themselves from such vulnerabilities?

    -Individuals and organizations should ensure that their systems are up-to-date, conduct regular security audits, and be vigilant about the software and libraries they use. They should also follow best practices in security, such as least privilege principles and network segmentation.

  • What is the role of system D in this context?

    -System D is used to run SSH as a service, which is necessary for the testing of the backdoor in this scenario. SSH by default does not depend on LZMA unless it is running as a system service, which allows the testing of the backdoor in a controlled environment.

Outlines

00:00

🔍 Discovery and Analysis of a Backdoor in Open Source Security

This paragraph discusses the recent discovery of a backdoor in the XZ project, specifically within liblzma. It highlights the community's response and the efforts of researchers to understand the backdoor's behavior, appearance over the network, and the attacker's intentions. The speaker introduces themselves and their content focus, and acknowledges the contributions of others in the community who have conducted the reverse engineering. The video's aim is to break down the specifics of the backdoor and how it operates, using strategies employed by a Google researcher to interact with it through reverse engineering. The speaker also emphasizes the importance of security and the potential risks of such vulnerabilities in open source software.

05:00

🛠️ Testing and Patching the Backdoor - A Community Effort

The second paragraph delves into the practical steps taken to test and patch the discovered backdoor. It describes the process of setting up an isolated environment to prevent any potential harm from the backdoor, and the method used to trigger the backdoor through a specific set of data in the SSH key exchange. The explanation includes the technical details of how the backdoor checks for the attacker's signature, and the use of elliptic curve cryptography. The paragraph further discusses how a script called 'Python 3 patch.py' is used to replace the malicious public key with a known one for testing purposes. The speaker then explains how to set up a server to test the backdoor and the implications of the bug, emphasizing the severity of the vulnerability and its potential for arbitrary command execution as root, given the nature of SSH operations. The paragraph concludes with a call to action for the community to think about preventative measures and solutions to avoid similar issues in the future.

Mindmap

Keywords

💡Backdoor

A backdoor refers to a covert method, bypass, or secret feature that allows unauthorized access or control of a computer system or network. In the context of the video, a backdoor was secretly inserted into the XZ project's liblzma, which, when triggered, allows an attacker to execute arbitrary commands with root privileges on the affected system.

💡Open Source

Open source refers to a type of software licensing where the source code is made publicly available, allowing anyone to view, use, modify, and distribute the software. The video highlights the recent security concerns surrounding open source projects and the importance of community vigilance in maintaining security.

💡SSH (Secure Shell)

SSH is a cryptographic network protocol for operating network services securely over an unsecured network. In the video, SSH is discussed in relation to how the backdoor in liblzma can be triggered through a malicious SSH certificate, allowing an attacker to exploit the system via the SSH connection.

💡Certificate Authority (CA)

A Certificate Authority is an entity that issues digital certificates, which are used to verify the identity of individuals or organizations on the internet. In the video, the attackers used the signing key of a CA to hide their command and control payload within the certificate's value, allowing them to bypass normal security checks.

💡Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. It is used in the video to describe the type of key used by the attacker to sign their payload, which is the EDD 448 key, a specific type of elliptic curve key.

💡Reverse Engineering

Reverse engineering is the process of analyzing a product or system to understand its working principles, usually to recreate or modify its design. In the video, reverse engineering strategies were used by researchers to uncover the behavior and mechanism of the backdoor in the XZ project.

💡C2 (Command and Control)

C2, or Command and Control, refers to the infrastructure used by attackers to manage and control compromised systems. In the video, the backdoor's C2 capabilities are hidden within the certificate authority's value, allowing the attacker to issue commands to the infected system through an encrypted channel.

💡XZ Bot

XZ Bot is a tool created by researchers to interact with the backdoor in the XZ project. It uses reverse engineering strategies to demonstrate how the backdoor can be triggered and to test for vulnerabilities in systems.

💡Systemd

Systemd is an init system used in Linux distributions to bootstrap the user space and manage all processes subsequently, as well as to provide a number of functions such as parallelization of service initialization. In the video, the author mentions running SSH as a systemd service to replicate the conditions under which the backdoor would be triggered.

💡LDD (List Dynamic Dependencies)

LDD is a Unix command-line utility that prints the dynamic dependencies of shared libraries used by a program. In the video, 'ldd' is used to expose all shared objects that the SSH daemon binary depends on, which helps in identifying the specific version of liblzma that contains the backdoor.

💡Vulnerability

A vulnerability is a weakness in the computational logic of a system that allows an attacker to compromise the system's integrity, confidentiality, or availability. In the video, the vulnerability refers to the backdoor in the XZ project's liblzma, which poses a significant security risk.

Highlights

A backdoor was discovered in the XZ project, specifically in liblzma.

Community researchers identified the backdoor's behavior and purpose.

The backdoor's functionality is exposed in this video, detailing its operation and the attacker's intentions.

The video creator, lowle, focuses on programming, software, and security, providing educational content for viewers.

The backdoor is triggered by a specific set of data in the SSH key exchange.

Activation requires an SSH certificate with a payload encrypted and signed with the attacker's EDD 448 key.

The backdoor checks if the certificate is signed by the attacker, using elliptic curve cryptography.

The command and control data is hidden within the certificate authority's signing key.

The backdoor's implementation is complex and would not have been discovered without rigorous auditing.

The video demonstrates how to set up an isolated environment to test the backdoor safely.

The backdoor's decryption process is explained, revealing how it operates with a known symmetric key.

A method to prove the backdoor's functionality is presented by replacing the public key with a known one.

The video shows how to check for the backdoor by examining the binary's dependencies and its lzma file.

The XZ bot tool is introduced as a way to interact with the backdoor using reverse engineering strategies.

The backdoor's ability to execute arbitrary commands as root is demonstrated, highlighting its severity.

The discovery of the backdoor has raised awareness about open-source software vulnerabilities and the need for increased security measures.

The video encourages community members to think of solutions to prevent similar issues in other repositories.

Transcripts

00:00

the last week has been an absolute

00:02

Whirlwind for the world of not only

00:04

security but open source in general if

00:07

you're not aware of what happened a back

00:09

door had been put in the XZ project in

00:12

particular a back door was put in lib

00:14

lzma we've had a couple of days to

00:16

figure out what's going on here and

00:18

luckily some researchers from around the

00:20

community figured out exactly what this

00:23

back door does in this video we're going

00:25

to break down how the back door behaves

00:27

what it looks like over the wire and

00:30

what the attacker meant to do with it

00:32

also hi I am lowle learning I make

00:34

videos about programming software

00:36

security so if you like that or just

00:38

want to hang out with me hit that sub

00:39

button I really appreciate it full

00:40

disclosure I did not write the code in

00:42

this video I did not do R reverse

00:44

engineering I a dad I'm very busy but

00:47

luckily other people in the community

00:48

had the time to take care of this and do

00:50

it I'm going to link all of their work

00:52

and the repost in the description below

00:54

please go check out their stuff go

00:55

follow them on Twitter go like And

00:57

subscribe to their content uh but in

01:00

this video we're going to break down how

01:01

XZ bot Works XZ bot being a way to

01:04

interact with the back door using some

01:06

reverse engineering strategies that a

01:08

researcher at Google use let's get into

01:10

it right now now if you want to follow

01:11

along with me it's actually really easy

01:13

to do so the the author of the xbot repo

01:16

actually gave a great write up on how to

01:18

set up an environment that allows you to

01:20

use op ssh in the way that would depend

01:23

on the backd door I am in a sandboxed

01:25

environment you're looking at an auntu

01:27

2204 virtual machine and I'm doing this

01:29

in a way that I protecting myself

01:31

against any additional features that may

01:33

not have been found in the back door

01:34

like maybe for example it calls home to

01:36

some C2 server I don't want that to

01:38

happen in my home network right so this

01:40

has been completely isolated in a way

01:42

that I'm not worried about that the way

01:43

this back door works is absolutely

01:45

insane and the way they implemented

01:47

their C2 with this back door would have

01:49

never been caught without severe

01:52

auditing of the process and again thank

01:54

God that the researcher at Microsoft

01:56

found this thing so the way that it

01:57

works is the back door has to be

01:58

triggered with a spefic specific set of

02:01

data in the key exchange of the SSH

02:03

connection the back door can be

02:04

triggered by connecting with an SSH

02:06

certificate with a payload in the ca

02:09

certificate Authority signing key and

02:11

Valu this payload must be encrypted and

02:13

signed with the attacker's EDD 448 key

02:16

that's elliptic curve cryptography 448

02:19

is the key space key the way this works

02:21

is basically when you do a certificate

02:24

exchange with the server that has been

02:26

infected by the back door what the back

02:29

door will actually do is check has that

02:31

certificate been signed by the attacker

02:34

right and if you don't know what signing

02:35

means when you sign something you have

02:37

two keys you have a private key and a

02:40

public key in a signing scheme the

02:42

public key is the key used to decrypt

02:45

and the private key is the key used to

02:47

encrypt so e is private D is public now

02:50

when you want to sign something what

02:52

you're actually doing is using the

02:54

private key to encrypt a hash of it and

02:56

then when you want to verify the

02:58

signature you decrypt the hash and you

03:00

say okay cool after I've decrypted the

03:03

thing the hash matches the hash of the

03:06

data therefore only the person who is

03:08

able to sign this could have created

03:10

this data so what they're doing is

03:12

they're hiding their command and control

03:15

the command they want to run on the back

03:17

door server in the certificate

03:20

authorities signing key end value so

03:23

this is absolutely wild because when

03:25

you're doing a cryptographic key

03:26

exchange over the wire it's just a blob

03:29

of data just like how they hid the back

03:31

door in an lzma stream they're also

03:34

hiding the C2 over data that is normally

03:37

not otherwise inspected people kind of

03:39

just accept that like okay an SSH

03:41

exchange is going to have some binary

03:42

data we're not going to touch it so they

03:44

have these three bytes here and

03:45

basically the algorithm command 1 * 2 +

03:48

3 has to equal three and if it doesn't

03:50

the back door keeps processing otherwise

03:53

it'll take that check the signing value

03:55

and then move forward then inside of the

03:57

certificate Authority and value that has

03:59

been signed if these three values equal

04:02

three it'll have a cipher text the back

04:05

door will then decrypt the cipher text

04:07

with this known symmetric key we have

04:09

two kind of key schemes going on here we

04:11

have the signing scheme that says this

04:13

payload came from the evil person and

04:16

then the cipher text is just to hide it

04:17

right so we have to decrypt it and find

04:19

out okay cool now we know what the the

04:21

payload Is So within the cipher text

04:22

once it's been decrypted we have the

04:24

signature of the cipher text the command

04:26

to run and then some kind of padding to

04:28

make it all the right size to be able to

04:29

do the the encryption so basically

04:30

inside the back door there is this evil

04:32

key 0 a31 FD blah blah blah blah blah

04:35

and this is the public key of the

04:38

attacker now in theory the attacker has

04:40

the associated private key if they were

04:42

able to sign a payload and send it to an

04:45

infected server it would decrypt it as

04:46

we just described and run the payload

04:49

now because we don't have the attacker's

04:51

private key unless you do if you do turn

04:53

yourself in but no one really does right

04:55

so what we have to do to prove the back

04:57

door works is we have to replace the

05:00

public key with a known public key that

05:02

we have the associated private key for

05:04

so the author of this repo took the

05:06

public key out of the project and

05:08

replaced it with this public key and

05:10

then in the script to test the back door

05:12

has the known private key they made a

05:13

little script called Python 3 patch. piy

05:16

where you give it an infected lzma file

05:19

it'll find the function that does the

05:21

backdooring and it'll in place replace

05:23

the bad key with the good key or I guess

05:26

the the the attacker's key with your key

05:28

and this is actually really good way of

05:29

testing if you have a vulnerable version

05:32

right basically if you find that you

05:33

have this string in your lzma file you

05:37

have the public key in your binary you

05:39

are infected get rid of it so to get my

05:41

server set up basically I have SD

05:44

running as a system D service the reason

05:46

that this matters is because SSH by

05:48

default does not depend on lzma without

05:51

running as a system Des service and the

05:53

way we can check this is we can do ldd

05:56

on user Espin sshd by doing this it'll

05:59

expose ose all of the shared objects

06:01

that the binary depends on right we can

06:03

see right here that because it's

06:04

compiled in a way that depends on system

06:06

D messaging it is compiled with lib lzma

06:10

and then this lib lzma if we do a LSL on

06:14

the file we can see that this is a Sim

06:16

link to the version that I compiled the

06:17

test the backd door which is live lzma

06:20

560 now how do we make this meaningful

06:22

right again we want to test the back

06:24

door but we don't have the private key

06:26

to do the evil bidding so here what I'm

06:27

doing is I'm taking the patch file they

06:29

wrote and I'm pointing it at the backd

06:31

door lzma library that I compiled

06:33

locally on my computer and what it does

06:35

is it finds the function that has the

06:37

back door in it and it produces a patch

06:39

version of shared object that has a

06:42

public key that we know the private key

06:44

for and so we can just copy this to our

06:46

systems libraries right and now when we

06:49

go to run sshd it will depend on the

06:52

malicious version that has our known

06:54

public key back door is still having the

06:56

same functionality it's just it has a

06:58

public key that we actually know the

06:59

value before and this is where it gets

07:01

really crazy so we can use XZ bot and

07:04

what it does is it uses that structure

07:07

of take the command encrypt it put those

07:10

three magic values and then sign that

07:12

with the private key and it sends it to

07:14

the SSH server we can do xbot Tac H to

07:16

get the help menu right and so we're

07:18

going to do the adder of my local server

07:20

which is

07:21

12701 don't leak my IP address please uh

07:24

and Port 22 right so this is it showing

07:26

us the key exchange that's happening and

07:28

again what's so scary about this this is

07:30

if you were to observe this over the

07:32

wire you would not think anything bad

07:34

about the nature of this data this is

07:36

just an RSA key exchange like why would

07:38

there be anything evil here and so what

07:40

they did is they took that data that

07:42

people normally trust and they use that

07:44

as a place to hide their payload so what

07:47

we can do now is we can use this to run

07:49

evil commands and the nature of the evil

07:52

commands is even scarier so let's do

07:54

tack H again to kind of show the string

07:56

here we'll do command and I want to run

07:58

ID which shows you what privilege level

08:00

you are on the system and I'm going to

08:02

Output it to temp for the video now we

08:04

did that you know nothing crazy happened

08:06

on the system it just kind of ran

08:07

quietly but if I cat temp for the video

08:11

you'll see that the output of ID was

08:13

root this is where things get even

08:15

crazier and I think everyone kind of

08:17

knew this but you have to really put

08:18

your wrap your head around the magnitude

08:20

of this bug if the attacker had not got

08:22

caught they would have had a back door

08:24

in the process of lib zma that when

08:26

compiled on servers would be depended on

08:29

by sshd then when able to execute the

08:32

back door via a C2 channel that is

08:35

encrypted and mostly avisc and not

08:37

really questioned they get arbitrary

08:39

command execution not as some user on

08:41

the system but as root and why is that

08:44

because sshd runs as root it has to run

08:47

as root to then deescalate your privious

08:49

to the user that you log in as

08:52

absolutely terrifying now while this bug

08:54

is super scary and kind of highlights

08:56

the nature of the vulnerabilities of

08:58

Open Source software what I do like

09:01

about what's happened is it's getting

09:02

people to think it's a basically the

09:06

entire Community has woken up and now

09:08

realizes oh there's a problem and it's

09:10

no longer this like quiet thing that

09:12

people in you know conspiratorial

09:14

Corners were were talking about so

09:16

anyway get your thinking caps on think

09:18

of cool Solutions of how we cane prevent

09:20

this from happening in other repos and

09:23

then if you were totally lost about

09:24

what's going on go check out this video

09:27

see you guys there take care

Rate This

5.0 / 5 (0 votes)

Related Tags
CybersecurityOpenSourceBackdoorExploitSSHVulnerabilityLiblzmaXZProjectCommunityInvestigationReverseEngineeringSecurityAlertRootAccess
Browse More Related Video

Linux got wrecked by backdoor attack

Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]

Abstraction Can Make Your Code Worse

Mark Zuckerberg - Llama 3, $10B Models, Caesar Augustus, & 1 GW Datacenters

The Linux Hack was an inside job…

Delete Windows Today…