I was interested in the recent XZ security problem.

Other links

• initial mail
• boehs.org
• kill switch?

Find some data

Normally everything is in Github, but github has taken down the repository and disabled accounts. Perhaps wise, but not helpful for me.

• Debian Salsa
  • perhaps I am an idiot, but I could not work out how to get the upstream version tarball from this.
• Tukaani has the git versions but not the release tarballs.
  • You need git checkout v5.6.1.
• archive.org has the tarballs.

This is interesting, you’d imagine that the first thing github would do is stop distributing the bad tarball.

Peek at the files

I ended up writing a little python script for parsing the output of find . -type f | xargs sha1sum. ~200 files are missing from git, mostly translations and docs. 35 files have different hashes.

There’s about 100 test files, over 500kb of stuff.

reading the start of the attack

I followed along when reading coldwind.pl.

build-to-host.m4 is missing from git but is where problems start. Note that other M4 files are missing as well.

The grep on Line 86 matches the input.

% grep -aErls "#{4}[[:alnum:]]{5}#{4}$"  .
./tests/files/bad-3-corrupt_lzma2.xz

And sure enough, expanding the M4 by hand gives

% sed "r\n" ./tests/files/bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" | xz -d | sed "s/.*\.//g"
####Hello###
...

At this point its pretty clear you have a backdoor, but up to this point it is well hidden - unreadable shell and M4, compressed and corrupted payload, etc.

looking at the output

Lots of folks are looking at the binary blob. Note for future self:.

objdump -d 2 > 2.disass

honeypot

A honeypot.. The honeypot makes no sense, so I spent some time poking around the docker image.