revealing the features of the XZ backdoor

the last week has been an absolute

Whirlwind for the world of not only

security but open source in general if

you're not aware of what happened a back

door had been put in the XZ project in

particular a back door was put in lib

lzma we've had a couple of days to

figure out what's going on here and

luckily some researchers from around the

community figured out exactly what this

back door does in this video we're going

to break down how the back door behaves

what it looks like over the wire and

what the attacker meant to do with it

also hi I am lowle learning I make

videos about programming software

security so if you like that or just

want to hang out with me hit that sub

button I really appreciate it full

disclosure I did not write the code in

this video I did not do R reverse

engineering I a dad I'm very busy but

luckily other people in the community

had the time to take care of this and do

it I'm going to link all of their work

and the repost in the description below

please go check out their stuff go

follow them on Twitter go like And

subscribe to their content uh but in

this video we're going to break down how

XZ bot Works XZ bot being a way to

interact with the back door using some

reverse engineering strategies that a

researcher at Google use let's get into

it right now now if you want to follow

along with me it's actually really easy

to do so the the author of the xbot repo

actually gave a great write up on how to

set up an environment that allows you to

use op ssh in the way that would depend

on the backd door I am in a sandboxed

environment you're looking at an auntu

2204 virtual machine and I'm doing this

in a way that I protecting myself

against any additional features that may

not have been found in the back door

like maybe for example it calls home to

some C2 server I don't want that to

happen in my home network right so this

has been completely isolated in a way

that I'm not worried about that the way

this back door works is absolutely

insane and the way they implemented

their C2 with this back door would have

never been caught without severe

auditing of the process and again thank

God that the researcher at Microsoft

found this thing so the way that it

works is the back door has to be

triggered with a spefic specific set of

data in the key exchange of the SSH

connection the back door can be

triggered by connecting with an SSH

certificate with a payload in the ca

certificate Authority signing key and

Valu this payload must be encrypted and

signed with the attacker's EDD 448 key

that's elliptic curve cryptography 448

is the key space key the way this works

is basically when you do a certificate

exchange with the server that has been

infected by the back door what the back

door will actually do is check has that

certificate been signed by the attacker

right and if you don't know what signing

means when you sign something you have

two keys you have a private key and a

public key in a signing scheme the

public key is the key used to decrypt

and the private key is the key used to

encrypt so e is private D is public now

when you want to sign something what

you're actually doing is using the

private key to encrypt a hash of it and

then when you want to verify the

signature you decrypt the hash and you

say okay cool after I've decrypted the

thing the hash matches the hash of the

data therefore only the person who is

able to sign this could have created

this data so what they're doing is

they're hiding their command and control

the command they want to run on the back

door server in the certificate

authorities signing key end value so

this is absolutely wild because when

you're doing a cryptographic key

exchange over the wire it's just a blob

of data just like how they hid the back

door in an lzma stream they're also

hiding the C2 over data that is normally

not otherwise inspected people kind of

just accept that like okay an SSH

exchange is going to have some binary

data we're not going to touch it so they

have these three bytes here and

basically the algorithm command 1 * 2 +

3 has to equal three and if it doesn't

the back door keeps processing otherwise

it'll take that check the signing value

and then move forward then inside of the

certificate Authority and value that has

been signed if these three values equal

three it'll have a cipher text the back

door will then decrypt the cipher text

with this known symmetric key we have

two kind of key schemes going on here we

have the signing scheme that says this

payload came from the evil person and

then the cipher text is just to hide it

right so we have to decrypt it and find

out okay cool now we know what the the

payload Is So within the cipher text

once it's been decrypted we have the

signature of the cipher text the command

to run and then some kind of padding to

make it all the right size to be able to

do the the encryption so basically

inside the back door there is this evil

key 0 a31 FD blah blah blah blah blah

and this is the public key of the

attacker now in theory the attacker has

the associated private key if they were

able to sign a payload and send it to an

infected server it would decrypt it as

we just described and run the payload

now because we don't have the attacker's

private key unless you do if you do turn

yourself in but no one really does right

so what we have to do to prove the back

door works is we have to replace the

public key with a known public key that

we have the associated private key for

so the author of this repo took the

public key out of the project and

replaced it with this public key and

then in the script to test the back door

has the known private key they made a

little script called Python 3 patch. piy

where you give it an infected lzma file

it'll find the function that does the

backdooring and it'll in place replace

the bad key with the good key or I guess

the the the attacker's key with your key

and this is actually really good way of

testing if you have a vulnerable version

right basically if you find that you

have this string in your lzma file you

have the public key in your binary you

are infected get rid of it so to get my

server set up basically I have SD

running as a system D service the reason

that this matters is because SSH by

default does not depend on lzma without

running as a system Des service and the

way we can check this is we can do ldd

on user Espin sshd by doing this it'll

expose ose all of the shared objects

that the binary depends on right we can

see right here that because it's

compiled in a way that depends on system

D messaging it is compiled with lib lzma

and then this lib lzma if we do a LSL on

the file we can see that this is a Sim

link to the version that I compiled the

test the backd door which is live lzma

560 now how do we make this meaningful

right again we want to test the back

door but we don't have the private key

to do the evil bidding so here what I'm

doing is I'm taking the patch file they

wrote and I'm pointing it at the backd

door lzma library that I compiled

locally on my computer and what it does

is it finds the function that has the

back door in it and it produces a patch

version of shared object that has a

public key that we know the private key

for and so we can just copy this to our

systems libraries right and now when we

go to run sshd it will depend on the

malicious version that has our known

public key back door is still having the

same functionality it's just it has a

public key that we actually know the

value before and this is where it gets

really crazy so we can use XZ bot and

what it does is it uses that structure

of take the command encrypt it put those

three magic values and then sign that

with the private key and it sends it to

the SSH server we can do xbot Tac H to

get the help menu right and so we're

going to do the adder of my local server

which is

12701 don't leak my IP address please uh

and Port 22 right so this is it showing

us the key exchange that's happening and

again what's so scary about this this is

if you were to observe this over the

wire you would not think anything bad

about the nature of this data this is

just an RSA key exchange like why would

there be anything evil here and so what

they did is they took that data that

people normally trust and they use that

as a place to hide their payload so what

we can do now is we can use this to run

evil commands and the nature of the evil

commands is even scarier so let's do

tack H again to kind of show the string

here we'll do command and I want to run

ID which shows you what privilege level

you are on the system and I'm going to

Output it to temp for the video now we

did that you know nothing crazy happened

on the system it just kind of ran

quietly but if I cat temp for the video

you'll see that the output of ID was

root this is where things get even

crazier and I think everyone kind of

knew this but you have to really put

your wrap your head around the magnitude

of this bug if the attacker had not got

caught they would have had a back door

in the process of lib zma that when

compiled on servers would be depended on

by sshd then when able to execute the

back door via a C2 channel that is

encrypted and mostly avisc and not

really questioned they get arbitrary

command execution not as some user on

the system but as root and why is that

because sshd runs as root it has to run

as root to then deescalate your privious

to the user that you log in as

absolutely terrifying now while this bug

is super scary and kind of highlights

the nature of the vulnerabilities of

Open Source software what I do like

about what's happened is it's getting

people to think it's a basically the

entire Community has woken up and now

realizes oh there's a problem and it's

no longer this like quiet thing that

people in you know conspiratorial

Corners were were talking about so

anyway get your thinking caps on think

of cool Solutions of how we cane prevent

this from happening in other repos and

then if you were totally lost about

what's going on go check out this video

see you guys there take care