• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

liblzma is vulnerable!

chucky91

chucky91

Advanced OT User
Joined
Apr 8, 2010
Messages
349
Solutions
11
Reaction score
196
Location
MS -Brazil
GitHub
RCP91
Recent news that discovering that libs like liblzma are with binary that compromises ssh access, microsoft's vcpkg reversed!
1711814270932.png

hackaday.com

Security Alert: Potential SSH Backdoor Via Liblzma

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The m…
hackaday.com hackaday.com
 
Last edited:
Yes we all know, vcpkg has already fixed it, and that entire repo is currently under suspension from github because one of the maintainers is claiming he didn't know the other was doing such shady stuff, claims the versions signed by him were safe. There is ofc an investigation ongoing and such
 
If you want to temporarily fix your build:
Go to ports/liblzma/portfile.cmake and change line 3 to:
Code: 
REPO bminor/xz
 
Can you actually backdoor a server by sending malicious packets?
 
highsanta said:
Can you actually backdoor a server by sending malicious packets?
Click to expand...
What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts. In the malicious code, the library checks argv[0], which is the name of the program being executed, for /usr/bin/sshd. Additionally it seems to check for debugging tools like rr and gdb. If the checks are green, liblzma replaces a few function calls with its own code. It’s a complicated dance, but the exploit is specifically looking to replace RSA_public_decrypt.

That’s a very interesting function to clobber, as it is one of the functions used to validate SSH keys. It’s not hard to imagine how malicious code here could check for a magic signature, and bypass the normal login process. The full analysis is still being done, and expect more information in the coming days.

But the bottom line is that a machine with a patched sshd binary, that also has xz packages version 5.6.0 or 5.6.1, is vulnerable to unauthenticated SSH logins.
Click to expand...
 

Similar threads

Crevasse
[BETA] RookCraft (7.92)
Replies
12
Views
2K
Silver Skan
S
222222
DeepSeek - China's new AI outperforms ChatGPT. The stock market is crashing
Replies
16
Views
2K
222222
222222
anyeor
[Poland] [7.92] Globera
Replies
4
Views
488
anyeor
anyeor
Michael Orsino
Alpha Proxy Guide (kondrah/otclient multi-path proxy)
2
Replies
35
Views
5K
Gesior.pl
Gesior.pl
4Marsupilami
[GERMANY, USA][13+ / CUSTOM] STORM CLASH - Battle Royale
Replies
11
Views
1K
4Marsupilami
4Marsupilami
Back
Top