Re: backdoor in upstream xz/liblzma leading to ssh server compromise

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: backdoor in upstream xz/liblzma leading to ssh server compromise

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Matthias Weckbecker &lt;matthias () weckbecker name&gt;

Date: Sat, 30 Mar 2024 10:23:49 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Fri, Mar 29, 2024 at 12:19:26PM -0700, Andres Freund wrote:
Hi,

Hi Andres,

On 2024-03-29 19:44:05 +0100, Matthias Weckbecker wrote:
I've attached a yara rule to detect the *.o droplet you attached in the
email (liblzma_la-crc64-fast.o.gz).

Unfortunately xz 5.61 added further obfuscations, making it harder to
detect. Should have made it clearer that the attached .o was from 5.60. Among
others 5.61 removed the two symbols you're checking against here.  That's why
Vegard's script looks for a specific instructions sequence, but obviously is
also more obscure :/

Yes, all correct. For this you'll have to match characteristic sequences
of instructions. I've attached a yara rule for this as well.

Regards,

Andres

Thanks,
Matthias
Attachment:
CVE-2024-3094-p.yara
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)

Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)

(Thread continues...)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->