Vulnerability report written by the TA team by analyzin "XZ Utils Backdoor"
The XZ Utils backdoor is a backdoor that attackers have been preparing since 2001. It was discovered that a malicious user inserted malicious code into the open source XZ repository and distributed it without proper verification.
The vulnerability was initially reported as an SSH authentication bypass backdoor, but upon further analysis, it was actually changed to an RCE vulnerability. XZ Utils and its base library, liblzma, are open source projects that build lzma compression and decompression. It is included by default in many Linux distributions, is very popular with developers, and is widely used throughout the Linux ecosystem.
XZ Utils is a backdoor malware that can receive commands from an attacker on an infected system and perform functions such as executing commands.
Such open source software supply chain attacks cannot simply be prevented with piecemeal methods such as secure coding or mock hacking, so countermeasures must be considered from various perspectives. Supply chain attacks against open sources such as this vulnerability require special attention.
Our MONITORAPP is constantly monitoring the latest vulnerabilities.
1. Overview
The XZ Utils backdoor is a backdoor that attackers have been preparing since 2001 and was discovered when a malicious user injected malware into the publicly available open source XZ repository and deployed it without proper validation.
The vulnerability was initially reported as an SSH authentication bypass backdoor, but upon further analysis, it was changed to an RCE vulnerability. XZ Utils and its base library, liblzma, are open source projects that build lzma compression and decompression.
They are included by default in many Linux distributions, are very popular with developers, and are widely used throughout the Linux ecosystem.
2. Attack Analysis
The XZ Utils backdoor consists of several elements and has been introduced several times.
2.1 Element
- Use of IFUNC in the build process to hijack symbol resolution functionality with malware
- Inclusion of obfuscated and hidden shared objects in test files
- Execution of a set of scripts that extract shared objects during the library build process
- Disable landlocking, a security feature that limits process privileges
2.2 Execution Chain
- During the library's build process, the malicious script build-to-host.m4 is executed, decoding the test file bad-3-corrupt_lzma2.xz into a bash script
- The bash script runs a more complex decoding process on another test file, good-large_compressed.lzma, which is then decoded by another script
- This script extracts the shared object liblzma_la-crc64-fast.o, which is added to liblzma's compilation process
The photo above is an illustration of 2.1 Elements, 2.2 Execution Chain.
source : https://twitter.com/fr0gger_/status/1774342248437813525
2.3 Run RCE
- After doing the above, the function checks for an attacker, extracts the command from the authentication client's certificate, passes it to the system() function to execute, and runs the RCE before authentication.
3. Countermeasures
Backdoor malware is a difficult vulnerability to pattern due to the fact that it requires up-front actions such as uploading a file to eventually plant the malware, and binaryized malware is difficult to detect as a pattern.
We are monitoring for cases similar to the XZ Utils vulnerability.
4. Conclusion
XZ Utils is a backdoor malware that can take commands from an attacker on an infected system and perform functions such as executing commands.
Open source software supply chain attacks such as this cannot be prevented by piecemeal methods such as secure coding or penetration testing, so countermeasures must be considered from multiple perspectives. Supply chain attacks on open source, such as this vulnerability, require special attention.
Our MONITORAPP is constantly monitoring for the latest vulnerabilities.