Re: backdoor in upstream xz/liblzma leading to ssh server compromise

["Michael.Karcher" <Michael.Karcher () fu-berlin de>]

Am 29.03.2024 um 16:51 schrieb Andres Freund:
> Florian Weimer first extracted the injected code in isolation, also attached,
> liblzma_la-crc64-fast.o, I had only looked at the whole binary. Thanks!

Thanks for your excellent write-up, and thanks to Florian Weimer for posting
the injected code.

> I am *not* a security researcher, nor a reverse engineer.  There's lots of
> stuff I have not analyzed and most of what I observed is purely from
> observation rather than exhaustively analyzing the backdoor code.

I am a reverse engineer, and tried some static analysis on that code. One
key feature is that the code does not contain any ASCII strings, neither in
clear text nor in obfuscated form. Instead, it recognizes all relevant
strings using one single deterministic finite automaton, a technique commonly
used to search for terms given by regular expressions.

I wrote a script that decodes the tables for the table-driven DFA and outputs
the strings recognized by it accompanied with the "ID" assigned to the terminal
accepting state that represents that string.

You can find this script (and possibly other stuff I found interesting later)
at https://github.com/karcherm/xz-malware .

Kind Regards,
  Michael Karcher