revealing the features of the XZ backdoor
Summary
TLDRThe video discusses the recent discovery of a backdoor in the XZ project's liblzma, which allows for remote code execution as root via an SSH certificate with a malicious payload. The community's swift response to the vulnerability is highlighted, emphasizing the importance of security in open-source software and the need for increased vigilance and auditing to prevent such incidents in the future.
Takeaways
- π A backdoor was discovered in the open-source XZ project, specifically in liblzma.
- π΅οΈ Community researchers identified the backdoor's behavior and its potential impact.
- π‘ The backdoor's functionality involves a covert channel triggered by a specific SSH certificate payload.
- π The payload must be encrypted and signed with the attacker's ED448 key for the backdoor to activate.
- π οΈ Researchers at Google used reverse engineering to understand and expose the backdoor's mechanism.
- π The video provides a detailed breakdown of the backdoor's operation and its implications.
- π₯οΈ A sandboxed environment was used to demonstrate the backdoor without risking the researcher's network.
- π The backdoor's command and control (C2) mechanism was hidden within an SSH certificate authority's signing key.
- π A known public key replacement method was used to test the presence of the backdoor in vulnerable systems.
- π The XZ bot tool was showcased to interact with the backdoor and execute commands with root privileges.
- π The discovery has raised awareness about the vulnerabilities in open-source software and the need for increased security measures.
Q & A
What major event happened in the open-source community recently?
-A backdoor was discovered in the XZ project, specifically in the liblzma component, which has caused significant concern in the security and open-source community.
How was the backdoor triggered?
-The backdoor is triggered through a specific set of data in the key exchange of the SSH connection. It can be activated by connecting with an SSH certificate that contains a payload in the CA signing key, which must be encrypted and signed with the attacker's EDD 448 key.
What is the significance of the EDD 448 key in this context?
-The EDD 448 key is an elliptic curve cryptography key used for signing the payload in the SSH certificate. It ensures that only the attacker who has the associated private key can create and sign the data, allowing the backdoor to verify the authenticity of the command coming from the attacker.
How did researchers discover and analyze the backdoor?
-Community researchers used reverse engineering strategies, including a researcher at Google, to figure out the behavior of the backdoor, its implementation, and the attacker's intentions. They also used a sandboxed environment to protect themselves from potential additional features of the backdoor.
What is XZ bot and how is it used in this scenario?
-XZ bot is a tool that interacts with the backdoor by using reverse engineering strategies. It allows researchers to test the backdoor functionality by replacing the attacker's public key with a known public key that has an associated private key, enabling the execution of commands through the backdoor.
How does the backdoor hide its command and control (C2) channel?
-The backdoor hides its C2 channel within the certificate authorities' signing key value. This data is typically not inspected during a cryptographic key exchange, allowing the attacker to conceal their commands within the normal SSH exchange data.
What is the potential impact of this backdoor if not discovered?
-If the attacker had not been caught, they would have had the ability to execute arbitrary commands on the server as root, since the SSH daemon runs as root. This would provide them with full control over the compromised system, leading to severe security breaches.
What steps can be taken to detect if a system is vulnerable to this backdoor?
-One can use the XZ bot tool to patch an infected LZMA file and binary, replacing the attacker's public key with a known public key. If the string of the attacker's public key is found in the LZMA file or binary, the system is infected and needs to be cleaned.
How does the discovery of this backdoor affect the open-source community?
-The discovery has raised awareness about the potential vulnerabilities in open-source software and has prompted the community to think about preventive measures and solutions to avoid similar incidents in the future.
What can individuals and organizations do to protect themselves from such vulnerabilities?
-Individuals and organizations should ensure that their systems are up-to-date, conduct regular security audits, and be vigilant about the software and libraries they use. They should also follow best practices in security, such as least privilege principles and network segmentation.
What is the role of system D in this context?
-System D is used to run SSH as a service, which is necessary for the testing of the backdoor in this scenario. SSH by default does not depend on LZMA unless it is running as a system service, which allows the testing of the backdoor in a controlled environment.
Outlines
π Discovery and Analysis of a Backdoor in Open Source Security
This paragraph discusses the recent discovery of a backdoor in the XZ project, specifically within liblzma. It highlights the community's response and the efforts of researchers to understand the backdoor's behavior, appearance over the network, and the attacker's intentions. The speaker introduces themselves and their content focus, and acknowledges the contributions of others in the community who have conducted the reverse engineering. The video's aim is to break down the specifics of the backdoor and how it operates, using strategies employed by a Google researcher to interact with it through reverse engineering. The speaker also emphasizes the importance of security and the potential risks of such vulnerabilities in open source software.
π οΈ Testing and Patching the Backdoor - A Community Effort
The second paragraph delves into the practical steps taken to test and patch the discovered backdoor. It describes the process of setting up an isolated environment to prevent any potential harm from the backdoor, and the method used to trigger the backdoor through a specific set of data in the SSH key exchange. The explanation includes the technical details of how the backdoor checks for the attacker's signature, and the use of elliptic curve cryptography. The paragraph further discusses how a script called 'Python 3 patch.py' is used to replace the malicious public key with a known one for testing purposes. The speaker then explains how to set up a server to test the backdoor and the implications of the bug, emphasizing the severity of the vulnerability and its potential for arbitrary command execution as root, given the nature of SSH operations. The paragraph concludes with a call to action for the community to think about preventative measures and solutions to avoid similar issues in the future.
Mindmap
Keywords
π‘Backdoor
π‘Open Source
π‘SSH (Secure Shell)
π‘Certificate Authority (CA)
π‘Elliptic Curve Cryptography (ECC)
π‘Reverse Engineering
π‘C2 (Command and Control)
π‘XZ Bot
π‘Systemd
π‘LDD (List Dynamic Dependencies)
π‘Vulnerability
Highlights
A backdoor was discovered in the XZ project, specifically in liblzma.
Community researchers identified the backdoor's behavior and purpose.
The backdoor's functionality is exposed in this video, detailing its operation and the attacker's intentions.
The video creator, lowle, focuses on programming, software, and security, providing educational content for viewers.
The backdoor is triggered by a specific set of data in the SSH key exchange.
Activation requires an SSH certificate with a payload encrypted and signed with the attacker's EDD 448 key.
The backdoor checks if the certificate is signed by the attacker, using elliptic curve cryptography.
The command and control data is hidden within the certificate authority's signing key.
The backdoor's implementation is complex and would not have been discovered without rigorous auditing.
The video demonstrates how to set up an isolated environment to test the backdoor safely.
The backdoor's decryption process is explained, revealing how it operates with a known symmetric key.
A method to prove the backdoor's functionality is presented by replacing the public key with a known one.
The video shows how to check for the backdoor by examining the binary's dependencies and its lzma file.
The XZ bot tool is introduced as a way to interact with the backdoor using reverse engineering strategies.
The backdoor's ability to execute arbitrary commands as root is demonstrated, highlighting its severity.
The discovery of the backdoor has raised awareness about open-source software vulnerabilities and the need for increased security measures.
The video encourages community members to think of solutions to prevent similar issues in other repositories.
Transcripts
the last week has been an absolute
Whirlwind for the world of not only
security but open source in general if
you're not aware of what happened a back
door had been put in the XZ project in
particular a back door was put in lib
lzma we've had a couple of days to
figure out what's going on here and
luckily some researchers from around the
community figured out exactly what this
back door does in this video we're going
to break down how the back door behaves
what it looks like over the wire and
what the attacker meant to do with it
also hi I am lowle learning I make
videos about programming software
security so if you like that or just
want to hang out with me hit that sub
button I really appreciate it full
disclosure I did not write the code in
this video I did not do R reverse
engineering I a dad I'm very busy but
luckily other people in the community
had the time to take care of this and do
it I'm going to link all of their work
and the repost in the description below
please go check out their stuff go
follow them on Twitter go like And
subscribe to their content uh but in
this video we're going to break down how
XZ bot Works XZ bot being a way to
interact with the back door using some
reverse engineering strategies that a
researcher at Google use let's get into
it right now now if you want to follow
along with me it's actually really easy
to do so the the author of the xbot repo
actually gave a great write up on how to
set up an environment that allows you to
use op ssh in the way that would depend
on the backd door I am in a sandboxed
environment you're looking at an auntu
2204 virtual machine and I'm doing this
in a way that I protecting myself
against any additional features that may
not have been found in the back door
like maybe for example it calls home to
some C2 server I don't want that to
happen in my home network right so this
has been completely isolated in a way
that I'm not worried about that the way
this back door works is absolutely
insane and the way they implemented
their C2 with this back door would have
never been caught without severe
auditing of the process and again thank
God that the researcher at Microsoft
found this thing so the way that it
works is the back door has to be
triggered with a spefic specific set of
data in the key exchange of the SSH
connection the back door can be
triggered by connecting with an SSH
certificate with a payload in the ca
certificate Authority signing key and
Valu this payload must be encrypted and
signed with the attacker's EDD 448 key
that's elliptic curve cryptography 448
is the key space key the way this works
is basically when you do a certificate
exchange with the server that has been
infected by the back door what the back
door will actually do is check has that
certificate been signed by the attacker
right and if you don't know what signing
means when you sign something you have
two keys you have a private key and a
public key in a signing scheme the
public key is the key used to decrypt
and the private key is the key used to
encrypt so e is private D is public now
when you want to sign something what
you're actually doing is using the
private key to encrypt a hash of it and
then when you want to verify the
signature you decrypt the hash and you
say okay cool after I've decrypted the
thing the hash matches the hash of the
data therefore only the person who is
able to sign this could have created
this data so what they're doing is
they're hiding their command and control
the command they want to run on the back
door server in the certificate
authorities signing key end value so
this is absolutely wild because when
you're doing a cryptographic key
exchange over the wire it's just a blob
of data just like how they hid the back
door in an lzma stream they're also
hiding the C2 over data that is normally
not otherwise inspected people kind of
just accept that like okay an SSH
exchange is going to have some binary
data we're not going to touch it so they
have these three bytes here and
basically the algorithm command 1 * 2 +
3 has to equal three and if it doesn't
the back door keeps processing otherwise
it'll take that check the signing value
and then move forward then inside of the
certificate Authority and value that has
been signed if these three values equal
three it'll have a cipher text the back
door will then decrypt the cipher text
with this known symmetric key we have
two kind of key schemes going on here we
have the signing scheme that says this
payload came from the evil person and
then the cipher text is just to hide it
right so we have to decrypt it and find
out okay cool now we know what the the
payload Is So within the cipher text
once it's been decrypted we have the
signature of the cipher text the command
to run and then some kind of padding to
make it all the right size to be able to
do the the encryption so basically
inside the back door there is this evil
key 0 a31 FD blah blah blah blah blah
and this is the public key of the
attacker now in theory the attacker has
the associated private key if they were
able to sign a payload and send it to an
infected server it would decrypt it as
we just described and run the payload
now because we don't have the attacker's
private key unless you do if you do turn
yourself in but no one really does right
so what we have to do to prove the back
door works is we have to replace the
public key with a known public key that
we have the associated private key for
so the author of this repo took the
public key out of the project and
replaced it with this public key and
then in the script to test the back door
has the known private key they made a
little script called Python 3 patch. piy
where you give it an infected lzma file
it'll find the function that does the
backdooring and it'll in place replace
the bad key with the good key or I guess
the the the attacker's key with your key
and this is actually really good way of
testing if you have a vulnerable version
right basically if you find that you
have this string in your lzma file you
have the public key in your binary you
are infected get rid of it so to get my
server set up basically I have SD
running as a system D service the reason
that this matters is because SSH by
default does not depend on lzma without
running as a system Des service and the
way we can check this is we can do ldd
on user Espin sshd by doing this it'll
expose ose all of the shared objects
that the binary depends on right we can
see right here that because it's
compiled in a way that depends on system
D messaging it is compiled with lib lzma
and then this lib lzma if we do a LSL on
the file we can see that this is a Sim
link to the version that I compiled the
test the backd door which is live lzma
560 now how do we make this meaningful
right again we want to test the back
door but we don't have the private key
to do the evil bidding so here what I'm
doing is I'm taking the patch file they
wrote and I'm pointing it at the backd
door lzma library that I compiled
locally on my computer and what it does
is it finds the function that has the
back door in it and it produces a patch
version of shared object that has a
public key that we know the private key
for and so we can just copy this to our
systems libraries right and now when we
go to run sshd it will depend on the
malicious version that has our known
public key back door is still having the
same functionality it's just it has a
public key that we actually know the
value before and this is where it gets
really crazy so we can use XZ bot and
what it does is it uses that structure
of take the command encrypt it put those
three magic values and then sign that
with the private key and it sends it to
the SSH server we can do xbot Tac H to
get the help menu right and so we're
going to do the adder of my local server
which is
12701 don't leak my IP address please uh
and Port 22 right so this is it showing
us the key exchange that's happening and
again what's so scary about this this is
if you were to observe this over the
wire you would not think anything bad
about the nature of this data this is
just an RSA key exchange like why would
there be anything evil here and so what
they did is they took that data that
people normally trust and they use that
as a place to hide their payload so what
we can do now is we can use this to run
evil commands and the nature of the evil
commands is even scarier so let's do
tack H again to kind of show the string
here we'll do command and I want to run
ID which shows you what privilege level
you are on the system and I'm going to
Output it to temp for the video now we
did that you know nothing crazy happened
on the system it just kind of ran
quietly but if I cat temp for the video
you'll see that the output of ID was
root this is where things get even
crazier and I think everyone kind of
knew this but you have to really put
your wrap your head around the magnitude
of this bug if the attacker had not got
caught they would have had a back door
in the process of lib zma that when
compiled on servers would be depended on
by sshd then when able to execute the
back door via a C2 channel that is
encrypted and mostly avisc and not
really questioned they get arbitrary
command execution not as some user on
the system but as root and why is that
because sshd runs as root it has to run
as root to then deescalate your privious
to the user that you log in as
absolutely terrifying now while this bug
is super scary and kind of highlights
the nature of the vulnerabilities of
Open Source software what I do like
about what's happened is it's getting
people to think it's a basically the
entire Community has woken up and now
realizes oh there's a problem and it's
no longer this like quiet thing that
people in you know conspiratorial
Corners were were talking about so
anyway get your thinking caps on think
of cool Solutions of how we cane prevent
this from happening in other repos and
then if you were totally lost about
what's going on go check out this video
see you guys there take care
5.0 / 5 (0 votes)
