June 24th, 2024

XZ backdoor: Hook analysis

Kaspersky experts analyzed the XZ backdoor in OpenSSH 9.7p1, revealing hidden connections, SSH authentication bypass, and remote code execution capabilities. The backdoor manipulates RSA keys, uses steganography, and executes commands.

Read original articleLink Icon
XZ backdoor: Hook analysis

The XZ backdoor behavior inside OpenSSH, specifically in version 9.7p1, has been analyzed by Kaspersky experts. The backdoor hides unauthorized connections, allows bypassing SSH authentication, and enables remote code execution on infected servers. Key findings include an anti-replay feature, custom steganography to hide the public key, and log hiding capabilities. The backdoor hooks functions related to RSA key manipulation and has remote command execution capabilities. The attacker can use any username/password to log in without checks and execute system commands. The backdoor also uses an ED448 public key extracted from the binary for decryption and signature verification. The payload decryption involves using ChaCha20 encryption, and the payload signature is verified using the attacker's private key. The backdoor commands include bypassing SSH authentication, remote command execution via 'system' call, and closing the pre-auth session. The analysis details the process of extracting the public key, decrypting the payload, and executing commands with root or non-root privileges.

Related

Reconstructing Public Keys from Signatures

Reconstructing Public Keys from Signatures

The blog delves into reconstructing public keys from signatures in cryptographic schemes like ECDSA, RSA, Schnorr, and Dilithium. It highlights challenges, design choices, and security considerations, emphasizing the complexity and importance of robust security measures.

Simple ways to find exposed sensitive information

Simple ways to find exposed sensitive information

Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.

Vulnerability in Popular PC and Server Firmware

Vulnerability in Popular PC and Server Firmware

Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.

I found an 8 years old bug in Xorg

I found an 8 years old bug in Xorg

An 8-year-old Xorg bug related to epoll misuse was found by a picom developer. The bug caused windows to disappear during server lock, traced to CloseDownClient events. Despite limited impact, the developer seeks alternative window tree updates, emphasizing testing and debugging tools.

Arbitrary shell command evaluation in Org Mode (GNU Emacs)

Arbitrary shell command evaluation in Org Mode (GNU Emacs)

A vulnerability in Emacs Org mode allowed arbitrary shell command execution. A fix in Emacs 29.4 and Org 9.7.5 prevents unsafe code evaluation in link abbreviations, advising users to apply the patch.

Link Icon 1 comments