LogFAQs > #979756518

LurkerFAQs, Active Database ( 12.01.2023-present ), DB1, DB2, DB3, DB4, DB5, DB6, DB7, DB8, DB9, DB10, DB11, DB12, Clear

Topic List	Page List: 1
Topic	the xz backdoor was caught before it could be used
Anteaterking 04/05/24 10:11:17 PM #23:	pikakaeru posted... tldr on what it can do? openssh is the main way that people log into other computers from Linux (e.g. I ssh into different machines at my workplace through it). xz is a dependency for things that are dependencies for ssh even though it doesn't directly use it, so when you're installing your operating system (or updating it), it gets to load before openssh does. It took advantage of this to backdoor openssh. What does the backdoor do? Ssh uses certificates the same way that when you go to sites on the internet certificates are exchanged that are like "yes you can trust me that I'm gamefaqs.com". The attacker set it up so that any message that was signed with their private certificate would be run by the system at the level of root (the most powerful permission in linux, think "admin") because ssh has to run as root even if the person running it doesn't have root permissions. So at this point they have remote code execution, which means they could run any command they wanted on any computer that had this back door and likely would have used this as vector to drop down actual tooling that lets them e.g. steal credentials, take files, etc. --- http://i18.photobucket.com/albums/b136/Anteaterking/scan00021.jpg http://i18.photobucket.com/albums/b136/Anteaterking/scan00021.jpg <cite>Anteaterking posted [p:979756518] in the xz bac... [t:80740090]...</cite> <quote>pikakaeru posted... </cite><quote>tldr on what it can do?</quote>openssh is the main way that people log into other computers from Linux (e.g. I ssh into different machines at my workplace through it). xz is a dependency for things that are dependencies for ssh even though it doesn't directly use it, so when you're installing your operating system (or updating it), it gets to load before openssh does. It took advantage of this to backdoor openssh.What does the backdoor do? Ssh uses certificates the same way that when you go to sites on the internet certificates are exchanged that are like "yes you can trust me that I'm gamefaqs.com". The attacker set it up so that any message that was signed with their private certificate would be run by the system at the level of root (the most powerful permission in linux, think "admin") because ssh has to run as root even if the person running it doesn't have root permissions.So at this point they have remote code execution, which means they could run any command they wanted on any computer that had this back door and likely would have used this as vector to drop down actual tooling that lets them e.g. steal credentials, take files, etc. --- http://i18.photobucket.com/albums/b136/Anteaterking/scan00021.jpghttp://i18.photobucket.com/albums/b136/Anteaterking/scan00021.jpg</quote> ... Copied to Clipboard!
Topic List	Page List: 1