Posts about the xz attack

Not_Oles

Timeline: https://research.swtch.com/xz-timeline

Attack shell script: https://research.swtch.com/xz-script

nullnothere

https://github.com/amlweems/xzbot is good (also referenced via "Further Reading" section in Timeline URL above).

Not_Oles

Took a quick look! Wow! Seems very good! Now I am going to have to look at all the links in the "Further Reading" section.

wankel

Wow, it may not be enough for a movie script, but it sure is an interesting read!

If the Internet had better enforcement of the "don't be a dick"-rule, the maintainer may not have gotten pressured into sharing maintainership after abusive language from 'the community'.

On the other hand: given a goal and a long enough timeline, also without getting abusive, any organization (or private person) could create a persona to implement this kind of attacks (as, I guess, has crossed many of our minds even before this came to light)

Thanks for sharing!

somik

LTS FTW!

Back when I first started (20+ years ago?) I never understood why people do not use latest packages and stick to older packages. I guess there are pitfalls like the above other then the usual older packages being more stable.

@Not_Oles not sure where you found the research and to be honest, most of it went over my head. But one thing is clear. This is an attempt by someone (or a group) who knows what they are doing and how to prevent from being found out.

Jab

Does this really need new topic, what is wrong with the one we already have?
https://lowendspirit.com/discussion/7588/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise-openwall-com-via-hacker-news#latest

Not_Oles

@somik said: @Not_Oles not sure where you found the research

HN

and to be honest, most of it went over my head.

Me too.

But one thing is clear. This is an attempt by someone (or a group) who knows what they are doing and how to prevent from being found out.

Yes, and even more:

"giving the attacker the ability to run an arbitrary command on the target system without logging in: unauthenticated, targeted remote code execution."

"The attack . . . appears to be the first serious known supply chain attack on widely used open source software. It marks a watershed moment. . . ."

   -- https://research.swtch.com/xz-timeline

Not_Oles

From: https://joeyh.name/blog/entry/reflections_on_distrusting_xz/

See also: https://news.ycombinator.com/item?id=39914981

And then there's the matter of the disabling of the Landlock sandbox. This was not necessary for the ssh backdoor, because the sandbox is only used by the xz command, not by liblzma. So why did they potentially tip their hand by adding that rogue "." that disables the sandbox?

A sandbox would not prevent the kind of attack I discuss above, where xz is just modifying code that it decompresses. Disabling the sandbox suggests that they were going to make xz run arbitrary code, that perhaps wrote to files it shouldn't be touching, to install a backdoor in the system.

Both deb and rpm use xz compression, and with the sandbox disabled, whether they link with liblzma or run the xz command, a backdoored xz can write to any file on the system while dpkg or rpm is running and noone is likely to notice, because that's the kind of thing a package manager does.

somik

Also the way he "fixed" (breaks) the landlock package... Damn...

So, what are your guesses on who this is?

• Random guy sitting in moms basement
• Hacker group targeting linux servers
• Government agency (chinese/us/russia/others)
• Others?

AuroraZero

@somik said:
Also the way he "fixed" (breaks) the landlock package... Damn...

So, what are your guesses on who this is?

• Random guy sitting in moms basement
• Hacker group targeting linux servers
• Government agency (chinese/us/russia/others)
• Others?

It's all me baby

somik

@AuroraZero said:

@somik said:
Also the way he "fixed" (breaks) the landlock package... Damn...

So, what are your guesses on who this is?

• Random guy sitting in moms basement
• Hacker group targeting linux servers
• Government agency (chinese/us/russia/others)
• Others?

It's all me baby

So the butler yeti did it....

AuroraZero

@somik said:

@AuroraZero said:

@somik said:
Also the way he "fixed" (breaks) the landlock package... Damn...

So, what are your guesses on who this is?

• Random guy sitting in moms basement
• Hacker group targeting linux servers
• Government agency (chinese/us/russia/others)
• Others?

It's all me baby

So the butler yeti did it....

Always