revealing the features of the XZ backdoor

Low Level Learning
3 Apr 202409:29

Summary

TLDR视频讲述了XZ项目中liblzma后门事件的详细分析。研究人员发现,通过特定的SSH证书签名,攻击者可以触发后门并执行任意命令。视频展示了如何检测和修复受感染的服务器,强调了开源软件漏洞的严重性,并呼吁社区提高安全意识。

Takeaways

  • 🔍 最近一周,开源界和安全领域发生了一件重大事件,XZ项目中的liblzma被植入了后门。
  • 🕵️ 社区研究人员经过几天的努力,揭示了这个后门的具体行为和攻击者的意图。
  • 📹 视频中将详细分析后门的工作方式、在网络上的表现以及攻击者是如何利用它的。
  • 🛠️ 为了演示和测试后门,使用了反向工程策略,并且提供了相关工具和脚本。
  • 🔑 后门的触发依赖于SSH连接中的密钥交换,需要一个特定的证书签名。
  • 💡 攻击者通过在CA签名密钥中隐藏命令控制信息来激活后门,这种方式很难被发现。
  • 🔐 后门的实现方式非常隐蔽,利用了通常不会被检查的数据类型。
  • 🖥️ 为了安全测试,需要在隔离的环境中运行相关软件,避免潜在的风险。
  • 🧩 通过替换后门中的公钥,可以测试系统是否受到感染,并验证后门的工作情况。
  • 🎯 后门允许攻击者以root权限执行任意命令,这对系统的安全性构成了极大威胁。
  • 🚨 这一事件提醒了开源社区对安全性的重视,并促进了对防止此类问题发生的讨论和解决方案的探索。

Q & A

  • 什么是XZ项目中的后门?

    -XZ项目中的后门是liblzma中的一个安全漏洞,攻击者可以通过特定的SSH证书触发该后门,从而在服务器上执行任意命令。

  • 后门是如何被触发的?

    -后门可以通过使用带有特定有效载荷的SSH证书来触发,该有效载荷必须使用攻击者的EDD 448密钥进行加密和签名。

  • 如何检测服务器是否受到XZ后门的影响?

    -通过检查服务器上的lzma文件和二进制文件中是否包含攻击者的公钥字符串,可以确定服务器是否受到后门的影响。

  • 攻击者如何使用后门执行命令?

    -攻击者通过将命令和控制信息隐藏在证书授权签名密钥的值中,然后在后门服务器上解密并执行这些命令。

  • XZ后门的危险性在哪里?

    -XZ后门的危险性在于它允许攻击者在SSH过程中执行任意命令,而且这种命令执行是以root权限进行的,因为sshd默认以root权限运行。

  • 社区是如何应对XZ后门事件的?

    -社区的研究人员通过逆向工程策略发现了后门的行为,并公开了他们的工作,以便其他人可以检查和修复他们的系统。

  • 如何防止类似的后门事件发生?

    -需要加强开源软件的审计过程,确保代码的安全性,并通过社区合作来提高对潜在漏洞的认识和响应速度。

  • XZ后门事件对开源社区有何影响?

    -该事件提高了开源社区对安全性的重视,促使人们更加关注开源软件的漏洞问题,并寻求更有效的预防措施。

  • 如何使用XZ bot与后门进行交互?

    -XZ bot是一个工具,它使用逆向工程策略来与后门交互,通过发送加密和签名的命令来测试后门是否工作正常。

  • 为什么SSH过程中的数据显示为正常的RSA密钥交换?

    -因为SSH过程中的数据通常不会受到怀疑,人们普遍接受这种二进制数据,攻击者正是利用了这一点来隐藏他们的有效载荷。

  • 如何修复受到XZ后门影响的服务器?

    -可以通过替换受影响的liblzma库文件,并确保SSH服务不依赖于可能包含后门的lzma版本来修复服务器。

Outlines

00:00

🔍 揭秘XZ项目后门事件

本段落主要讨论了最近在开源世界中引起轩然大波的XZ项目后门事件。事件中,liblzma被植入了一个后门,社区研究人员迅速响应并揭露了后门的具体行为。视频作者lowle将详细介绍后门如何在SSH连接中被触发,以及攻击者可能的意图。同时,作者也提到了自己并未亲自进行代码编写和逆向工程,而是依赖社区其他成员的工作,并在视频描述中提供了相关链接。

05:00

🛠️ XZ后门的工作原理及测试方法

第二段落深入探讨了XZ后门的工作原理,包括如何通过特定的SSH证书触发后门,以及后门如何利用证书中的加密数据执行命令。作者解释了如何使用名为XZ bot的工具与后门交互,并展示了如何在隔离环境中测试后门。此外,还讨论了如何通过替换后门中的公钥来验证系统是否易受攻击,并强调了这一漏洞的严重性,特别是如果攻击者未被发现,他们将能够在服务器上以root权限执行任意命令。最后,作者呼吁社区成员提高警惕,寻找解决方案以防止类似事件再次发生。

Mindmap

Keywords

💡后门

后门是指在软件中故意留下的一个隐蔽入口,允许未经授权的访问或控制。在视频中,后门被植入到XZ项目中的liblzma,使得攻击者可以通过特定的SSH证书触发并利用它执行恶意命令。

💡开源

开源指的是软件的源代码是公开可见的,允许任何人自由使用、修改和分发。视频讨论了一个开源项目中发现的后门问题,强调了开源社区对于安全性的重视和对潜在漏洞的关注。

💡安全

安全在这里指的是保护计算机系统和网络免受未经授权的访问或损害。视频讨论了XZ项目中后门的发现,这个后门可能导致严重的安全隐患,因为它允许攻击者以root权限执行任意命令。

💡椭圆曲线加密

椭圆曲线加密(ECC)是一种基于椭圆曲线数学的公钥加密技术,它提供了相同密钥长度下比传统加密方法更高的安全性。在视频中,攻击者使用ECC的EDD 448密钥对负载进行加密和签名,以触发后门。

💡证书交换

证书交换是SSL/TLS和SSH等安全协议中的一个过程,用于在通信双方建立一个安全的连接。在这个过程中,双方交换和验证各自的公钥证书,以确保通信的安全性。

💡加密

加密是将数据转换成一种只有拥有密钥的人才能解读的格式,以保护信息不被未授权的人访问。在视频中,攻击者使用加密来隐藏他们在证书中嵌入的命令控制信息。

💡反向工程

反向工程是指分析一个已经存在的系统或软件,以了解其工作原理和结构。在视频中,社区研究人员通过反向工程分析了XZ项目中的后门,揭示了其工作机制和潜在威胁。

💡C2服务器

C2服务器(Command and Control服务器)是攻击者用来远程控制受感染计算机的服务器。在视频中,后门可能被设计为与C2服务器通信,接收攻击者的指令。

💡补丁

补丁是指对软件进行修改或更新的小段代码,用来修复漏洞或改进功能。在视频中,制作了一个补丁脚本来替换后门中的公钥,以此来测试系统是否受到感染。

💡依赖

依赖是指一个软件或程序需要其他软件或库才能正常运行。在视频中,SSH服务依赖于liblzma库,而这个库中被植入了后门。

💡XZ bot

XZ bot是一个工具,用于与XZ项目中的后门进行交互。它通过模拟攻击者的行为来测试后门是否存在于系统中。

Highlights

上周对于安全和开源世界来说是一个绝对的旋风。

XZ项目中被植入了一个后门,特别是在lib lzma中。

社区研究人员已经弄清楚了这个后门的具体情况。

视频中将分解后门的行为、在线上的表现以及攻击者的意图。

XZ bot是一种与后门交互的方式,使用了谷歌研究员的逆向工程策略。

后门的工作原理是非常疯狂的,它们的C2实现如果没有严格的审计过程是不会被抓住的。

后门需要通过特定的数据在SSH连接的密钥交换中被触发。

攻击者通过CA签名密钥中隐藏的加密和签名的有效载荷来控制后门。

当证书被攻击者签名时,后门会检查并执行隐藏的命令和控制。

通过替换公开密钥,可以测试后门是否工作,以及服务器是否易受攻击。

使用XZ bot可以发送加密的命令,并通过后门执行。

这个后门允许攻击者以root权限执行任意命令,因为sshd以root身份运行。

这个漏洞凸显了开源软件的脆弱性,并且唤醒了社区对此类问题的关注。

整个社区已经意识到了这个问题,开始积极思考如何预防此类问题的发生。

这个后门是通过在证书交换中隐藏的命令控制通道来实现的。

通过特定的算法和密钥,攻击者可以在不被检测的情况下激活后门。

这个后门的发现和分析展示了社区合作和研究的重要性。

通过这个事件,我们可以更好地理解开源软件安全性的挑战和应对策略。

这个后门事件强调了对开源项目进行严格审计的必要性。

通过这个案例,我们可以学习如何识别和防御复杂的后门攻击。

Transcripts

00:00

the last week has been an absolute

00:02

Whirlwind for the world of not only

00:04

security but open source in general if

00:07

you're not aware of what happened a back

00:09

door had been put in the XZ project in

00:12

particular a back door was put in lib

00:14

lzma we've had a couple of days to

00:16

figure out what's going on here and

00:18

luckily some researchers from around the

00:20

community figured out exactly what this

00:23

back door does in this video we're going

00:25

to break down how the back door behaves

00:27

what it looks like over the wire and

00:30

what the attacker meant to do with it

00:32

also hi I am lowle learning I make

00:34

videos about programming software

00:36

security so if you like that or just

00:38

want to hang out with me hit that sub

00:39

button I really appreciate it full

00:40

disclosure I did not write the code in

00:42

this video I did not do R reverse

00:44

engineering I a dad I'm very busy but

00:47

luckily other people in the community

00:48

had the time to take care of this and do

00:50

it I'm going to link all of their work

00:52

and the repost in the description below

00:54

please go check out their stuff go

00:55

follow them on Twitter go like And

00:57

subscribe to their content uh but in

01:00

this video we're going to break down how

01:01

XZ bot Works XZ bot being a way to

01:04

interact with the back door using some

01:06

reverse engineering strategies that a

01:08

researcher at Google use let's get into

01:10

it right now now if you want to follow

01:11

along with me it's actually really easy

01:13

to do so the the author of the xbot repo

01:16

actually gave a great write up on how to

01:18

set up an environment that allows you to

01:20

use op ssh in the way that would depend

01:23

on the backd door I am in a sandboxed

01:25

environment you're looking at an auntu

01:27

2204 virtual machine and I'm doing this

01:29

in a way that I protecting myself

01:31

against any additional features that may

01:33

not have been found in the back door

01:34

like maybe for example it calls home to

01:36

some C2 server I don't want that to

01:38

happen in my home network right so this

01:40

has been completely isolated in a way

01:42

that I'm not worried about that the way

01:43

this back door works is absolutely

01:45

insane and the way they implemented

01:47

their C2 with this back door would have

01:49

never been caught without severe

01:52

auditing of the process and again thank

01:54

God that the researcher at Microsoft

01:56

found this thing so the way that it

01:57

works is the back door has to be

01:58

triggered with a spefic specific set of

02:01

data in the key exchange of the SSH

02:03

connection the back door can be

02:04

triggered by connecting with an SSH

02:06

certificate with a payload in the ca

02:09

certificate Authority signing key and

02:11

Valu this payload must be encrypted and

02:13

signed with the attacker's EDD 448 key

02:16

that's elliptic curve cryptography 448

02:19

is the key space key the way this works

02:21

is basically when you do a certificate

02:24

exchange with the server that has been

02:26

infected by the back door what the back

02:29

door will actually do is check has that

02:31

certificate been signed by the attacker

02:34

right and if you don't know what signing

02:35

means when you sign something you have

02:37

two keys you have a private key and a

02:40

public key in a signing scheme the

02:42

public key is the key used to decrypt

02:45

and the private key is the key used to

02:47

encrypt so e is private D is public now

02:50

when you want to sign something what

02:52

you're actually doing is using the

02:54

private key to encrypt a hash of it and

02:56

then when you want to verify the

02:58

signature you decrypt the hash and you

03:00

say okay cool after I've decrypted the

03:03

thing the hash matches the hash of the

03:06

data therefore only the person who is

03:08

able to sign this could have created

03:10

this data so what they're doing is

03:12

they're hiding their command and control

03:15

the command they want to run on the back

03:17

door server in the certificate

03:20

authorities signing key end value so

03:23

this is absolutely wild because when

03:25

you're doing a cryptographic key

03:26

exchange over the wire it's just a blob

03:29

of data just like how they hid the back

03:31

door in an lzma stream they're also

03:34

hiding the C2 over data that is normally

03:37

not otherwise inspected people kind of

03:39

just accept that like okay an SSH

03:41

exchange is going to have some binary

03:42

data we're not going to touch it so they

03:44

have these three bytes here and

03:45

basically the algorithm command 1 * 2 +

03:48

3 has to equal three and if it doesn't

03:50

the back door keeps processing otherwise

03:53

it'll take that check the signing value

03:55

and then move forward then inside of the

03:57

certificate Authority and value that has

03:59

been signed if these three values equal

04:02

three it'll have a cipher text the back

04:05

door will then decrypt the cipher text

04:07

with this known symmetric key we have

04:09

two kind of key schemes going on here we

04:11

have the signing scheme that says this

04:13

payload came from the evil person and

04:16

then the cipher text is just to hide it

04:17

right so we have to decrypt it and find

04:19

out okay cool now we know what the the

04:21

payload Is So within the cipher text

04:22

once it's been decrypted we have the

04:24

signature of the cipher text the command

04:26

to run and then some kind of padding to

04:28

make it all the right size to be able to

04:29

do the the encryption so basically

04:30

inside the back door there is this evil

04:32

key 0 a31 FD blah blah blah blah blah

04:35

and this is the public key of the

04:38

attacker now in theory the attacker has

04:40

the associated private key if they were

04:42

able to sign a payload and send it to an

04:45

infected server it would decrypt it as

04:46

we just described and run the payload

04:49

now because we don't have the attacker's

04:51

private key unless you do if you do turn

04:53

yourself in but no one really does right

04:55

so what we have to do to prove the back

04:57

door works is we have to replace the

05:00

public key with a known public key that

05:02

we have the associated private key for

05:04

so the author of this repo took the

05:06

public key out of the project and

05:08

replaced it with this public key and

05:10

then in the script to test the back door

05:12

has the known private key they made a

05:13

little script called Python 3 patch. piy

05:16

where you give it an infected lzma file

05:19

it'll find the function that does the

05:21

backdooring and it'll in place replace

05:23

the bad key with the good key or I guess

05:26

the the the attacker's key with your key

05:28

and this is actually really good way of

05:29

testing if you have a vulnerable version

05:32

right basically if you find that you

05:33

have this string in your lzma file you

05:37

have the public key in your binary you

05:39

are infected get rid of it so to get my

05:41

server set up basically I have SD

05:44

running as a system D service the reason

05:46

that this matters is because SSH by

05:48

default does not depend on lzma without

05:51

running as a system Des service and the

05:53

way we can check this is we can do ldd

05:56

on user Espin sshd by doing this it'll

05:59

expose ose all of the shared objects

06:01

that the binary depends on right we can

06:03

see right here that because it's

06:04

compiled in a way that depends on system

06:06

D messaging it is compiled with lib lzma

06:10

and then this lib lzma if we do a LSL on

06:14

the file we can see that this is a Sim

06:16

link to the version that I compiled the

06:17

test the backd door which is live lzma

06:20

560 now how do we make this meaningful

06:22

right again we want to test the back

06:24

door but we don't have the private key

06:26

to do the evil bidding so here what I'm

06:27

doing is I'm taking the patch file they

06:29

wrote and I'm pointing it at the backd

06:31

door lzma library that I compiled

06:33

locally on my computer and what it does

06:35

is it finds the function that has the

06:37

back door in it and it produces a patch

06:39

version of shared object that has a

06:42

public key that we know the private key

06:44

for and so we can just copy this to our

06:46

systems libraries right and now when we

06:49

go to run sshd it will depend on the

06:52

malicious version that has our known

06:54

public key back door is still having the

06:56

same functionality it's just it has a

06:58

public key that we actually know the

06:59

value before and this is where it gets

07:01

really crazy so we can use XZ bot and

07:04

what it does is it uses that structure

07:07

of take the command encrypt it put those

07:10

three magic values and then sign that

07:12

with the private key and it sends it to

07:14

the SSH server we can do xbot Tac H to

07:16

get the help menu right and so we're

07:18

going to do the adder of my local server

07:20

which is

07:21

12701 don't leak my IP address please uh

07:24

and Port 22 right so this is it showing

07:26

us the key exchange that's happening and

07:28

again what's so scary about this this is

07:30

if you were to observe this over the

07:32

wire you would not think anything bad

07:34

about the nature of this data this is

07:36

just an RSA key exchange like why would

07:38

there be anything evil here and so what

07:40

they did is they took that data that

07:42

people normally trust and they use that

07:44

as a place to hide their payload so what

07:47

we can do now is we can use this to run

07:49

evil commands and the nature of the evil

07:52

commands is even scarier so let's do

07:54

tack H again to kind of show the string

07:56

here we'll do command and I want to run

07:58

ID which shows you what privilege level

08:00

you are on the system and I'm going to

08:02

Output it to temp for the video now we

08:04

did that you know nothing crazy happened

08:06

on the system it just kind of ran

08:07

quietly but if I cat temp for the video

08:11

you'll see that the output of ID was

08:13

root this is where things get even

08:15

crazier and I think everyone kind of

08:17

knew this but you have to really put

08:18

your wrap your head around the magnitude

08:20

of this bug if the attacker had not got

08:22

caught they would have had a back door

08:24

in the process of lib zma that when

08:26

compiled on servers would be depended on

08:29

by sshd then when able to execute the

08:32

back door via a C2 channel that is

08:35

encrypted and mostly avisc and not

08:37

really questioned they get arbitrary

08:39

command execution not as some user on

08:41

the system but as root and why is that

08:44

because sshd runs as root it has to run

08:47

as root to then deescalate your privious

08:49

to the user that you log in as

08:52

absolutely terrifying now while this bug

08:54

is super scary and kind of highlights

08:56

the nature of the vulnerabilities of

08:58

Open Source software what I do like

09:01

about what's happened is it's getting

09:02

people to think it's a basically the

09:06

entire Community has woken up and now

09:08

realizes oh there's a problem and it's

09:10

no longer this like quiet thing that

09:12

people in you know conspiratorial

09:14

Corners were were talking about so

09:16

anyway get your thinking caps on think

09:18

of cool Solutions of how we cane prevent

09:20

this from happening in other repos and

09:23

then if you were totally lost about

09:24

what's going on go check out this video

09:27

see you guys there take care