Apr 04, 2024 12:15:00

Google engineers explain the backdoor script installed in the compression tool 'XZ Utils' used in Linux environments

On March 29, 2024, it was revealed that

the compression tool XZ Utils had a malicious backdoor installed . Google engineer Russ Cox explains the script used by the attacker in the backdoor attack.

research!rsc: The xz attack shell script
https://research.swtch.com/xz-script

A chronological summary of how the attack on XZ Utils was carried out can be found in the article below.

Timeline summary of backdoor attack on XZ Utils - GIGAZINE

Cox said that this attack can be roughly divided into two parts: a shell script part and an object file part. The attack involves injecting a shell script into the 'make' command that compiles source code, while running 'configure', which performs appropriate settings according to the environment. add.

Both the malicious shell script and the object file were compressed, encrypted, embedded in a binary file, and added to the repository as a 'test file.' These binary files have been present in the repository for some time to test file processing, and it appears that the attackers simply added some new test files.

The object file added at this time contained a bug that caused problems with the dynamic analysis tool Valgrind, so the attacker had to update the test file to fix it. The attacker realized that they needed a better update mechanism, so they added the following: 'The original files were randomly generated locally on my machine. In order to better reproduce these files in the future It has a function to update the file as 'The file was recreated using a seed' and at the same time search for the updated script from the new test file.

The shell script used in this attack called the malicious object file's _get_cpuid function as part of the GNU indirect function (ifunc) resolver. Generally, these resolvers can be called at any time during program execution, but for security reasons, all resolvers are called at the dynamic linking stage at the beginning of program startup, and the global offset table (GOT) and procedure linkage are called. By mapping the table (PLT) as read-only, it will not be edited in the event of a buffer overflow.

However, in this attack, the attacker adjusted the script to run the ifunc resolver early enough in the program's startup to be able to edit tables that should otherwise be read-only. It also hijacks the table 'RSA_public_decrypt' and alters it to execute the attacker's code when the appropriate SSH certificate is presented.

A brief description of the operation of the shell script part of this attack is as above, but Mr. Cox specifically explains the operation for each line of the shell script on his blog, so if you are interested. Please check it out.