Current Events > the xz backdoor was caught before it could be used

(+) Yeah! (+)

because a microsoft engineer was trying to diagnose unrelated performance issues and stumbled on it by accident basically.

https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/

This was like mythical shit that you usually only see in ridiculous hollywood movies but for real. There's rumors a state actor may be implicated in it (most likely from China) so there's not much info about it at the moment as the NSA is trying to keep everything secret.

I'm legitimately shocked no one cares about this

I had legitimately never heard of XZ Utils until this week. Scary the amount of stuff that relies on things nobody ever thinks about.

BewmHedshot posted...

I had legitimately never heard of XZ Utils until this week. Scary the amount of stuff that relies on things nobody ever thinks about.

I remember the left pad issue from years ago basically broke the Internet because of build dependency failures. That wasn't a hack or anything, that was just one dude being pissy and deleting his own repository.

Fucked up that everyone was willing to trust some rando nobody who straight up went "hey, don't check this update for malicious stuff :^)"

BewmHedshot posted...

I had legitimately never heard of XZ Utils until this week. Scary the amount of stuff that relies on things nobody ever thinks about.

https://gamefaqs.gamespot.com/a/forum/5/55df5722.jpg

Powdered_Toast posted...

Fucked up that everyone was willing to trust some rando nobody who straight up went "hey, don't check this update for malicious stuff :^)"

This was a slow bake over 3 years. It wasn't like they just PR'd a backdoor.

itcheyness posted...

https://gamefaqs.gamespot.com/a/forum/5/55df5722.jpg

I thought the internet was made of tubes not Jenga blocks?!

BlueKat posted...

I thought the internet was made of tubes not Jenga blocks?!

It's definitely jenga blocks.

Tyranthraxus posted...

the NSA is trying to keep everything secret.

Well of course. They don't want it looked at too closely or someone might find the backdoor access that they have too.

There were so many little clever pieces of setting this up but I think they still would have been caught with how hard they were pushing for the new version to get integrated.

tldr on what it can do?

Heard about this but I dont really know what any of it means

i don't use Linux but the idea that some random person can just come in and commit something like this to critical, ubiquitous software is insane to me

pikakaeru posted...

tldr on what it can do?

It was literally a genuine intrusion backdoor. Almost anything was on the table.

everywhere? all systems?

I can't even pretend to understand what any of that means but it sounds like years or work was luckily discovered

pikakaeru posted...

everywhere? all systems?

Anything that used zx util which was an extremely common Linux package that linked to a lot of compiled binaries.

oh so only Linux not windows or mac?

Tyranthraxus posted...

This was a slow bake over 3 years. It wasn't like they just PR'd a backdoor.

I'll admit I don't really know how this stuff works, but 3 years doesn't really seem like a long time for something as big as this. I've seen pointless internet drama infiltrations cook over a period of a few years.
Bugmeat posted...

Well of course. They don't want it looked at too closely or someone might find the backdoor access that they have too.

Look, this incident proves that we can't trust the modern digital infrastructure jenga tower to random internet people, we obviously have to hand it over to the US government.

Null_Gain posted...

I can't even pretend to understand what any of that means but it sounds like years or work was luckily discovered

Here's a dumb down technical explanation.

I create bad code.
I put bad code into digital certificate.
I attempt to make SSH connection using digital certificate and backdoor key.
zx utils runs the bad code in the certificate automatically.

Unless you were running Arch or Ubuntu nightlies, you were not affected. It could have been very bad if this made it into long-term support releases of various distros.

xz is under-maintained. Already seeing a few projects moving to zstd.

pikakaeru posted...

oh so only Linux not windows or mac?

It might affect Mac but this was mostly targeted towards enterprise linux

pikakaeru posted...

tldr on what it can do?

openssh is the main way that people log into other computers from Linux (e.g. I ssh into different machines at my workplace through it). xz is a dependency for things that are dependencies for ssh even though it doesn't directly use it, so when you're installing your operating system (or updating it), it gets to load before openssh does. It took advantage of this to backdoor openssh.

What does the backdoor do? Ssh uses certificates the same way that when you go to sites on the internet certificates are exchanged that are like "yes you can trust me that I'm gamefaqs.com". The attacker set it up so that any message that was signed with their private certificate would be run by the system at the level of root (the most powerful permission in linux, think "admin") because ssh has to run as root even if the person running it doesn't have root permissions.

So at this point they have remote code execution, which means they could run any command they wanted on any computer that had this back door and likely would have used this as vector to drop down actual tooling that lets them e.g. steal credentials, take files, etc.

Null_Gain posted...

I can't even pretend to understand what any of that means but it sounds like years or work was luckily discovered

Mr. Potato Head. Mr. Potato Head.

Tyranthraxus posted...

I create bad code.
I put bad code into digital certificate.
I attempt to make SSH connection using digital certificate and backdoor key.
zx utils runs the bad code in the certificate automatically.

this is like the code jargon version of "draw the rest of the owl"

itcheyness posted...

https://gamefaqs.gamespot.com/a/forum/5/55df5722.jpg

Believe it or not I've seen this comic before

Dungeater posted...

this is like the code jargon version of "draw the rest of the owl"

Ok so there's multiple ways of authentication. Most people are probably familiar with username/password, but for people who want more security, they can use a certificate/key. The two systems decrypt the certificates with the key to compare them and let you in if they match.

Think of it like a photo id. You buy something with a credit card (key) and I ask to see your photo id, then I look up your credit card in my system to pull the photo of you that I already have and check to see if they match. If they don't, I know you have a fake id.

Except in this case your photo ID has secret hypnotoad mind control and me looking at your id makes me open the register and give you all the cash and forget you were ever in the store.

BewmHedshot posted...

Believe it or not I've seen this comic before

It's xkcd

Tyranthraxus posted...

Except in this case your photo ID has secret hypnotoad mind control and me looking at your id makes me open the register and give you all the cash and forget you were ever in the store.

thats so epic

XZ Backdoor sounds like a Yugioh card.

Shotgunnova posted...

XZ Backdoor sounds like a Yugioh card.

XYZ Backdoor. The card with more text than the Linux kernel.

Yeah the Linux backdoor for this I heard about from Mutahar, most of it goes over my head, but it's kinda why people go on about open source programming so much. But the same measure that there can be horrible back doors to something, if people are keen eyed enough they can look through everything & spot one in a billion issues like this

First I heard about this, fuckin wild.

Tyranthraxus posted...

I'm legitimately shocked no one cares about this

probably because you're a while late <_<

actually looking at the specifics of conversations around the dev of this and the pull requests themselves is crazy. like just look at this commit: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7

Even knowing there is a change in here with malicious intent, it's hard to see. Even knowing specifically which file it's in (the very first one, CMakeLists.txt) it's still hard to see

kirbymuncher posted...

probably because you're a while late <_<

I mean the article is only 3 days old and I haven't seen anyone else here talking about it. It's not breaking news but it's not exactly stale either. It also had the benefit of getting shut down before it could be used. This had the potential to be worse than the SolarWinds hack.

Tyranthraxus posted...

It's not breaking news but it's not exactly stale either.

I guess that's true, my perspective is somewhat skewed by the sorts of people I hang around with (bunch of tech nerds). I had all my conversations related to this a week ago back when it was discovered. I think that's probably why you don't really see talk about it somewhere like here; it's sort of inscrutable to people without some tech background, and many of those who do have the tech background would be hearing about it more quickly in other channels.

The fact that it's not even a hack, it's just a thing that could have become a hack but didn't because they got caught first doesn't really make for an exciting story if you don't also uderstand some of the background info, the seriousness, the sorts of open-source culture involved, etc

Tyranthraxus posted...

I mean the article is only 3 days old and I haven't seen anyone else here talking about it. It's not breaking news but it's not exactly stale either. It also had the benefit of getting shut down before it could be used. This had the potential to be worse than the SolarWinds hack.

The problem is how hard it is for you to explain the problem in laymans terms

most of the posts itt dont mean anything to anybody. I have a degree in computer science and I develop software for a living and I needed the ELI5 version to even understand it

for how wide reaching it could potentially be its still a very niche thing