I was interested in the recent XZ security problem.

Find some data

Normally everything is in Github, but github has taken down the repository and disabled accounts. Perhaps wise, but not helpful for me.

  • Debian Salsa
    • perhaps I am an idiot, but I could not work out how to get the upstream version tarball from this.
  • Tukaani has the git versions but not the release tarballs.
    • You need git checkout v5.6.1.
  • archive.org has the tarballs.

This is interesting, you’d imagine that the first thing github would do is stop distributing the bad tarball.

Peek at the files

I ended up writing a little python script for parsing the output of find . -type f | xargs sha1sum. ~200 files are missing from git, mostly translations and docs. 35 files have different hashes.

There’s about 100 test files, over 500kb of stuff.

reading the start of the attack

I followed along when reading coldwind.pl.

build-to-host.m4 is missing from git but is where problems start. Note that other M4 files are missing as well.

The grep on Line 86 matches the input.

% grep -aErls "#{4}[[:alnum:]]{5}#{4}$"  .
./tests/files/bad-3-corrupt_lzma2.xz

And sure enough, expanding the M4 by hand gives

% sed "r\n" ./tests/files/bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" | xz -d | sed "s/.*\.//g"
####Hello###
...

At this point its pretty clear you have a backdoor, but up to this point it is well hidden - unreadable shell and M4, compressed and corrupted payload, etc.

looking at the output

Lots of folks are looking at the binary blob. Note for future self:.

objdump -d 2 > 2.disass

honeypot

A honeypot.. The honeypot makes no sense, so I spent some time poking around the docker image.