OSS backdoors: the folly of the easy fix Intelligence agencies and Big Tech, not hobbyists, should shoulder the responsibility for preventing the next xz-style hack.

“The maintainers of libcolorpicker.so can’t be the only thing that stands between your critical infrastructure and Russian or Chinese intelligence services.”

lcamtuf.substack.com/p/oss-backdo...

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

github.com/amlweems/xzbot

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

Woah. Backdoor in liblzma targeting ssh servers.

www.openwall.com/lists/oss-se...

It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…

Now I’m curious what it does in RSA_public_decrypt

I’m excited to be writing Rust in production again!