revealing the features of the XZ backdoor
Summary
TLDR视频讲述了XZ项目中liblzma后门事件的详细分析。研究人员发现,通过特定的SSH证书签名,攻击者可以触发后门并执行任意命令。视频展示了如何检测和修复受感染的服务器,强调了开源软件漏洞的严重性,并呼吁社区提高安全意识。
Takeaways
- 🔍 最近一周,开源界和安全领域发生了一件重大事件,XZ项目中的liblzma被植入了后门。
- 🕵️ 社区研究人员经过几天的努力,揭示了这个后门的具体行为和攻击者的意图。
- 📹 视频中将详细分析后门的工作方式、在网络上的表现以及攻击者是如何利用它的。
- 🛠️ 为了演示和测试后门,使用了反向工程策略,并且提供了相关工具和脚本。
- 🔑 后门的触发依赖于SSH连接中的密钥交换,需要一个特定的证书签名。
- 💡 攻击者通过在CA签名密钥中隐藏命令控制信息来激活后门,这种方式很难被发现。
- 🔐 后门的实现方式非常隐蔽,利用了通常不会被检查的数据类型。
- 🖥️ 为了安全测试,需要在隔离的环境中运行相关软件,避免潜在的风险。
- 🧩 通过替换后门中的公钥,可以测试系统是否受到感染,并验证后门的工作情况。
- 🎯 后门允许攻击者以root权限执行任意命令,这对系统的安全性构成了极大威胁。
- 🚨 这一事件提醒了开源社区对安全性的重视,并促进了对防止此类问题发生的讨论和解决方案的探索。
Q & A
什么是XZ项目中的后门?
-XZ项目中的后门是liblzma中的一个安全漏洞,攻击者可以通过特定的SSH证书触发该后门,从而在服务器上执行任意命令。
后门是如何被触发的?
-后门可以通过使用带有特定有效载荷的SSH证书来触发,该有效载荷必须使用攻击者的EDD 448密钥进行加密和签名。
如何检测服务器是否受到XZ后门的影响?
-通过检查服务器上的lzma文件和二进制文件中是否包含攻击者的公钥字符串,可以确定服务器是否受到后门的影响。
攻击者如何使用后门执行命令?
-攻击者通过将命令和控制信息隐藏在证书授权签名密钥的值中,然后在后门服务器上解密并执行这些命令。
XZ后门的危险性在哪里?
-XZ后门的危险性在于它允许攻击者在SSH过程中执行任意命令,而且这种命令执行是以root权限进行的,因为sshd默认以root权限运行。
社区是如何应对XZ后门事件的?
-社区的研究人员通过逆向工程策略发现了后门的行为,并公开了他们的工作,以便其他人可以检查和修复他们的系统。
如何防止类似的后门事件发生?
-需要加强开源软件的审计过程,确保代码的安全性,并通过社区合作来提高对潜在漏洞的认识和响应速度。
XZ后门事件对开源社区有何影响?
-该事件提高了开源社区对安全性的重视,促使人们更加关注开源软件的漏洞问题,并寻求更有效的预防措施。
如何使用XZ bot与后门进行交互?
-XZ bot是一个工具,它使用逆向工程策略来与后门交互,通过发送加密和签名的命令来测试后门是否工作正常。
为什么SSH过程中的数据显示为正常的RSA密钥交换?
-因为SSH过程中的数据通常不会受到怀疑,人们普遍接受这种二进制数据,攻击者正是利用了这一点来隐藏他们的有效载荷。
如何修复受到XZ后门影响的服务器?
-可以通过替换受影响的liblzma库文件,并确保SSH服务不依赖于可能包含后门的lzma版本来修复服务器。
Outlines
🔍 揭秘XZ项目后门事件
本段落主要讨论了最近在开源世界中引起轩然大波的XZ项目后门事件。事件中,liblzma被植入了一个后门,社区研究人员迅速响应并揭露了后门的具体行为。视频作者lowle将详细介绍后门如何在SSH连接中被触发,以及攻击者可能的意图。同时,作者也提到了自己并未亲自进行代码编写和逆向工程,而是依赖社区其他成员的工作,并在视频描述中提供了相关链接。
🛠️ XZ后门的工作原理及测试方法
第二段落深入探讨了XZ后门的工作原理,包括如何通过特定的SSH证书触发后门,以及后门如何利用证书中的加密数据执行命令。作者解释了如何使用名为XZ bot的工具与后门交互,并展示了如何在隔离环境中测试后门。此外,还讨论了如何通过替换后门中的公钥来验证系统是否易受攻击,并强调了这一漏洞的严重性,特别是如果攻击者未被发现,他们将能够在服务器上以root权限执行任意命令。最后,作者呼吁社区成员提高警惕,寻找解决方案以防止类似事件再次发生。
Mindmap
Keywords
💡后门
💡开源
💡安全
💡椭圆曲线加密
💡证书交换
💡加密
💡反向工程
💡C2服务器
💡补丁
💡依赖
💡XZ bot
Highlights
上周对于安全和开源世界来说是一个绝对的旋风。
XZ项目中被植入了一个后门,特别是在lib lzma中。
社区研究人员已经弄清楚了这个后门的具体情况。
视频中将分解后门的行为、在线上的表现以及攻击者的意图。
XZ bot是一种与后门交互的方式,使用了谷歌研究员的逆向工程策略。
后门的工作原理是非常疯狂的,它们的C2实现如果没有严格的审计过程是不会被抓住的。
后门需要通过特定的数据在SSH连接的密钥交换中被触发。
攻击者通过CA签名密钥中隐藏的加密和签名的有效载荷来控制后门。
当证书被攻击者签名时,后门会检查并执行隐藏的命令和控制。
通过替换公开密钥,可以测试后门是否工作,以及服务器是否易受攻击。
使用XZ bot可以发送加密的命令,并通过后门执行。
这个后门允许攻击者以root权限执行任意命令,因为sshd以root身份运行。
这个漏洞凸显了开源软件的脆弱性,并且唤醒了社区对此类问题的关注。
整个社区已经意识到了这个问题,开始积极思考如何预防此类问题的发生。
这个后门是通过在证书交换中隐藏的命令控制通道来实现的。
通过特定的算法和密钥,攻击者可以在不被检测的情况下激活后门。
这个后门的发现和分析展示了社区合作和研究的重要性。
通过这个事件,我们可以更好地理解开源软件安全性的挑战和应对策略。
这个后门事件强调了对开源项目进行严格审计的必要性。
通过这个案例,我们可以学习如何识别和防御复杂的后门攻击。
Transcripts
the last week has been an absolute
Whirlwind for the world of not only
security but open source in general if
you're not aware of what happened a back
door had been put in the XZ project in
particular a back door was put in lib
lzma we've had a couple of days to
figure out what's going on here and
luckily some researchers from around the
community figured out exactly what this
back door does in this video we're going
to break down how the back door behaves
what it looks like over the wire and
what the attacker meant to do with it
also hi I am lowle learning I make
videos about programming software
security so if you like that or just
want to hang out with me hit that sub
button I really appreciate it full
disclosure I did not write the code in
this video I did not do R reverse
engineering I a dad I'm very busy but
luckily other people in the community
had the time to take care of this and do
it I'm going to link all of their work
and the repost in the description below
please go check out their stuff go
follow them on Twitter go like And
subscribe to their content uh but in
this video we're going to break down how
XZ bot Works XZ bot being a way to
interact with the back door using some
reverse engineering strategies that a
researcher at Google use let's get into
it right now now if you want to follow
along with me it's actually really easy
to do so the the author of the xbot repo
actually gave a great write up on how to
set up an environment that allows you to
use op ssh in the way that would depend
on the backd door I am in a sandboxed
environment you're looking at an auntu
2204 virtual machine and I'm doing this
in a way that I protecting myself
against any additional features that may
not have been found in the back door
like maybe for example it calls home to
some C2 server I don't want that to
happen in my home network right so this
has been completely isolated in a way
that I'm not worried about that the way
this back door works is absolutely
insane and the way they implemented
their C2 with this back door would have
never been caught without severe
auditing of the process and again thank
God that the researcher at Microsoft
found this thing so the way that it
works is the back door has to be
triggered with a spefic specific set of
data in the key exchange of the SSH
connection the back door can be
triggered by connecting with an SSH
certificate with a payload in the ca
certificate Authority signing key and
Valu this payload must be encrypted and
signed with the attacker's EDD 448 key
that's elliptic curve cryptography 448
is the key space key the way this works
is basically when you do a certificate
exchange with the server that has been
infected by the back door what the back
door will actually do is check has that
certificate been signed by the attacker
right and if you don't know what signing
means when you sign something you have
two keys you have a private key and a
public key in a signing scheme the
public key is the key used to decrypt
and the private key is the key used to
encrypt so e is private D is public now
when you want to sign something what
you're actually doing is using the
private key to encrypt a hash of it and
then when you want to verify the
signature you decrypt the hash and you
say okay cool after I've decrypted the
thing the hash matches the hash of the
data therefore only the person who is
able to sign this could have created
this data so what they're doing is
they're hiding their command and control
the command they want to run on the back
door server in the certificate
authorities signing key end value so
this is absolutely wild because when
you're doing a cryptographic key
exchange over the wire it's just a blob
of data just like how they hid the back
door in an lzma stream they're also
hiding the C2 over data that is normally
not otherwise inspected people kind of
just accept that like okay an SSH
exchange is going to have some binary
data we're not going to touch it so they
have these three bytes here and
basically the algorithm command 1 * 2 +
3 has to equal three and if it doesn't
the back door keeps processing otherwise
it'll take that check the signing value
and then move forward then inside of the
certificate Authority and value that has
been signed if these three values equal
three it'll have a cipher text the back
door will then decrypt the cipher text
with this known symmetric key we have
two kind of key schemes going on here we
have the signing scheme that says this
payload came from the evil person and
then the cipher text is just to hide it
right so we have to decrypt it and find
out okay cool now we know what the the
payload Is So within the cipher text
once it's been decrypted we have the
signature of the cipher text the command
to run and then some kind of padding to
make it all the right size to be able to
do the the encryption so basically
inside the back door there is this evil
key 0 a31 FD blah blah blah blah blah
and this is the public key of the
attacker now in theory the attacker has
the associated private key if they were
able to sign a payload and send it to an
infected server it would decrypt it as
we just described and run the payload
now because we don't have the attacker's
private key unless you do if you do turn
yourself in but no one really does right
so what we have to do to prove the back
door works is we have to replace the
public key with a known public key that
we have the associated private key for
so the author of this repo took the
public key out of the project and
replaced it with this public key and
then in the script to test the back door
has the known private key they made a
little script called Python 3 patch. piy
where you give it an infected lzma file
it'll find the function that does the
backdooring and it'll in place replace
the bad key with the good key or I guess
the the the attacker's key with your key
and this is actually really good way of
testing if you have a vulnerable version
right basically if you find that you
have this string in your lzma file you
have the public key in your binary you
are infected get rid of it so to get my
server set up basically I have SD
running as a system D service the reason
that this matters is because SSH by
default does not depend on lzma without
running as a system Des service and the
way we can check this is we can do ldd
on user Espin sshd by doing this it'll
expose ose all of the shared objects
that the binary depends on right we can
see right here that because it's
compiled in a way that depends on system
D messaging it is compiled with lib lzma
and then this lib lzma if we do a LSL on
the file we can see that this is a Sim
link to the version that I compiled the
test the backd door which is live lzma
560 now how do we make this meaningful
right again we want to test the back
door but we don't have the private key
to do the evil bidding so here what I'm
doing is I'm taking the patch file they
wrote and I'm pointing it at the backd
door lzma library that I compiled
locally on my computer and what it does
is it finds the function that has the
back door in it and it produces a patch
version of shared object that has a
public key that we know the private key
for and so we can just copy this to our
systems libraries right and now when we
go to run sshd it will depend on the
malicious version that has our known
public key back door is still having the
same functionality it's just it has a
public key that we actually know the
value before and this is where it gets
really crazy so we can use XZ bot and
what it does is it uses that structure
of take the command encrypt it put those
three magic values and then sign that
with the private key and it sends it to
the SSH server we can do xbot Tac H to
get the help menu right and so we're
going to do the adder of my local server
which is
12701 don't leak my IP address please uh
and Port 22 right so this is it showing
us the key exchange that's happening and
again what's so scary about this this is
if you were to observe this over the
wire you would not think anything bad
about the nature of this data this is
just an RSA key exchange like why would
there be anything evil here and so what
they did is they took that data that
people normally trust and they use that
as a place to hide their payload so what
we can do now is we can use this to run
evil commands and the nature of the evil
commands is even scarier so let's do
tack H again to kind of show the string
here we'll do command and I want to run
ID which shows you what privilege level
you are on the system and I'm going to
Output it to temp for the video now we
did that you know nothing crazy happened
on the system it just kind of ran
quietly but if I cat temp for the video
you'll see that the output of ID was
root this is where things get even
crazier and I think everyone kind of
knew this but you have to really put
your wrap your head around the magnitude
of this bug if the attacker had not got
caught they would have had a back door
in the process of lib zma that when
compiled on servers would be depended on
by sshd then when able to execute the
back door via a C2 channel that is
encrypted and mostly avisc and not
really questioned they get arbitrary
command execution not as some user on
the system but as root and why is that
because sshd runs as root it has to run
as root to then deescalate your privious
to the user that you log in as
absolutely terrifying now while this bug
is super scary and kind of highlights
the nature of the vulnerabilities of
Open Source software what I do like
about what's happened is it's getting
people to think it's a basically the
entire Community has woken up and now
realizes oh there's a problem and it's
no longer this like quiet thing that
people in you know conspiratorial
Corners were were talking about so
anyway get your thinking caps on think
of cool Solutions of how we cane prevent
this from happening in other repos and
then if you were totally lost about
what's going on go check out this video
see you guys there take care
5.0 / 5 (0 votes)
Memory Forensics Using the Volatility Framework
Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]
How to Optimize Performance in Unreal Engine 5
Linux got wrecked by backdoor attack
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou
The State of Cybersecurity – Year in Review