bolo @bolo@mastodon.bida.im

Though they apparently include a tool to calculate offsets.
So yeah, this works on a fully-patched Ubuntu 22.04 system.

An exploitation of the xz backdoor. Including notes, honeypot, and exploit demo.

https://github.com/amlweems/xzbot

#xz #xzbackdoor #InfoSec

https://github.com/lockness-Ko/xz-vulnerable-honeypot

iiiiiiiiinteresting.
an zx vulnerable honeypot

Deobfuscated strings from the malicious XZ binary:

https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01

Apparently, it has a kill switch.

@0xabad1dea that's a warning to malware state actors - do not get between a db guy and performance. They will fuck you up.

here's a pretty good writeup of the #xz #backdoor obfuscation code component

https://gynvael.coldwind.pl/?lang=en&id=782#stage2-ext

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

Well this is fucking lovely....

Malicious code was discovered in the upstream tarballs of "xz" which then affects liblzma

Downstream there may be backdoors in various implementations of "sshd".

Versions Affected:

Fedora 41
Fedora Rawhide
openSUSE Tumbleweed
Debian testing, unstable, experimental distributions
Kali updates between March 26th and March 29th

Original notice here:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Red Hat CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Red Hat Security Blog Post: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Arch Linux Security Post: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Debian Security Post: https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Security Post: https://news.opensuse.org/2024/03/29/xz-backdoor/

Kali Linux announcement: https://infosec.exchange/@kalilinux/112180505434870941

CISA Advisory: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Article here: https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

#infosec #linux #foss #hacking #cve20243094 #cve

I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.

Really required a lot of coincidences.

Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it.

The first signs of the backdoor were introduced in a February 23 update that added obfuscated code, officials from Red Hat said in an email. An update the following day included a malicious install script that injected itself into functions used by sshd, the binary file that makes SSH work. The malicious code has resided only in the archived releases—known as tarballs—which are released upstream. So-called GIT code available in repositories aren’t affected, although they do contain second-stage artifacts allowing the injection during the build time. In the event the obfuscated code introduced on February 23 is present, the artifacts in the GIT version allow the backdoor to operate.

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” an official with distributor OpenWall wrote in an advisory. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates.

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

A reminder that many many of our Jewish friends don't agree with the #gaza_genocide
#IsraelGazawar

Mappa dei cavi sottomarini 2023
Questa nuova edizione illustra 529 sistemi di cavi e 1.444 approdi attualmente attivi o in costruzione.

https://submarine-cable-map-2023.telegeography.com/

La vera grandezza di un'azienda di successo si vede nella sua capacità di fare pace con i concorrenti, quindi a Natale ricordatevi di fare gli auguri non solo a Gesù, ma anche a Isaac Newton (1643-1727), lo scienziato nato il 25 dicembre, che anche senza droghe era geniale e iperproduttivo come se fosse sotto anfetamine, e scontroso e paranoico come se fosse in crisi d'astinenza.

io una cosa così in italia non l’avevo mai vista #25novembre #nonunadimeno

oh boy! i love enshittification!

cc @pluralistic

https://fosstodon.org/@Joe_0237/111145684757912952

Le Alpi

Elon Musk bashed the German government for providing some help to migrants lost at sea (and promoted a far-right political party with Nazi roots) the same day that the UN revealed that more than 2,500 people have already drowned this year in the Mediterranean. https://www.businessinsider.com/elon-musk-immigration-migrants-germany-far-right-extremism-twitter-x-2023-9

Guardia Costiera libica sperona un gommone con 50 persone a bordo https://www.osservatoriorepressione.info/guardia-costiera-libica-sperona-un-gommone-50-persone-bordo/ #GuardiaCostieralibica #fortezzaeuropa #Dalmondo #migranti

A PoC for the Ivanti (MobileIron) RCE (CVE-2023-35078) has been uploaded on GitHub: https://github.com/vchan-in/CVE-2023-35078-Exploit-POC

Can anyone confirm this is legit?