Download xz Utils infected distro version (lemmy.blahaj.zone)

submitted 1 week ago by emidio@lemmy.blahaj.zone to c/linux@lemmy.ml

5 comments fedilink hide all child comments

Hi ! I want to demo the backdoor usage and would like to install a unstable/test version of a distribution (possibly Debian or Fedora) that had the backdoor (v5.6.0 or 5.6.1 of xz/liblzma and patched openssh for systemd notification)

How could I do that?

I will be using xzbot from amlweems to further patch liblzma but I want a distro that has openssh run by systemd that links to the correct liblzma version

Thank you!

top 5 comments

sorted by: hot top controversial new old

[-] cypherpunks@lemmy.ml 25 points 1 week ago* (last edited 1 week ago)

A daily ISO of Debian testing or Ubuntu 24.04 (noble) beta from prior to the first week of April would be easiest, but those aren't archived anywhere that I know of. It didn't make it in to any stable releases of any Debian-based distros.

But even when you have a vulnerable system running sshd in a vulnerable configuration, you can't fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).

But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.

[-] emidio@lemmy.blahaj.zone 7 points 1 week ago* (last edited 1 week ago)

Oh thank you so much for these instructions I'll go through them on my computer.

I indeed wanted to know if the versions were still downloadable anywhere but if you can still install the correct liblzma version on any version of the distribution that works. I tried on a Debian VM on mac but with too little knowledge and it never run the correct liblzma

xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

[-] cypherpunks@lemmy.ml 5 points 1 week ago* (last edited 1 week ago)

xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

Fun :)

Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would've been in late March and then run that in a VM... or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).

[-] GolfNovemberUniform@lemmy.ml 6 points 1 week ago

Isn't the backdoor locked to its developer's key so nobody else can use it?

[-] emidio@lemmy.blahaj.zone 10 points 1 week ago

Yes, indeed the backdoor code checks, in the event of ssh authentication with a certificate, that it was signed with a specific ssh private key (their own CA), the corresponding public key being hardcoded in the backdoor code.

But this project xzbot demonstrates how to patch the corrupted liblzma to replace the key

this post was submitted on 08 May 2024

38 points (93.2% liked)

Linux

44537 readers

949 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz