Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp386037lqa; Sat, 27 Apr 2024 06:28:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXTAAnF1YFgVrXzf4bOvvtXrm3El0i/jfF7k20mNkvXMz/XQ4rfYpLVIN0tjVw+oEW+Td0ZUr8kBJ96Ao+3nSMlzgoZ95BhjbV2o3Ca2Q== X-Google-Smtp-Source: AGHT+IEjaEsK/YUiHS3H+gVtrIVPlZIbKQj8ZBL8+ZEEIFQ8eI1003dwDYIJVz4rAZsQwgJ1ypzY X-Received: by 2002:a17:906:840d:b0:a55:be3b:c6cf with SMTP id n13-20020a170906840d00b00a55be3bc6cfmr1711785ejx.35.1714224519312; Sat, 27 Apr 2024 06:28:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714224519; cv=none; d=google.com; s=arc-20160816; b=Qbu35lMZKIhtcl9ZIe/P6wjZG7eb/RFSUsYYsBKqpxBXN4tWAtPDtWGSddaNNF4Iw+ Xc6Kz8aZBF9xBS3qOrbBHCwA4do8v7zAWjkqvnHQIzdOxEnm9rMz8dq/CA9xli/+WRvQ 2CdRCuYAFiaaFH3nsvVQeZnMPVBwkYyZn0kLBKYeyGUcsupYuNRSBLRpdAxiIfE9qScl bUihlVDheIrrikoIMD+u7CNLa0ZvzJh7K9vDKqAOEIQho8QYCXr5cf9YdCEKKYRfXIgA bOGt/CW+DdwZZYBYhA/DZhd6Fvk5Qzy1HwVXQZDjstBvxklWC6O4mYXnt+jK5saq1iuQ iY6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:content-transfer-encoding:in-reply-to:references:to :mime-version:user-agent:from:date:message-id:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=DDtPdmTjY0Ndtm1CMsvDyeiic5Q32n9Kve+IpWS0ZMw=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=lZhdTj7nuq2ezPKKiBRhBG+rYTGojQ1dsQtDrTL5MvWe+264MrCUZFq+rTDO2JXJMY kB1A0sz+WU59BRNdnT6YRaXNTJgnWrHDLuVANnh4gKvP+FXgALiRg6KO/GkeLhh96XlM jNF+1Bn/NULUhdDtY0QnTrdjDK8wHXMmCIiA1vS9kDul05trFsanPu0Fh4GWl4f2+Y15 TWdlOUk2zKkBnrujXKI8vKswq3+E2UI2SsdDTrC9BFMGjqBXkWCPKCEPrWdVHteqXcgB QveTT51O4nOCt1ib9oruNM4iqjFNl7IExEAI7jXX5/hGr8zbQoh8kMR5M4qlbtZXwz++ drwQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=hYYvUqIg; spf=pass (google.com: domain of oss-security-return-30087-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30087-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id j2-20020a170906474200b00a4e207ee793si12069715ejs.646.2024.04.27.06.28.39 for ; Sat, 27 Apr 2024 06:28:39 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30087-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=hYYvUqIg; spf=pass (google.com: domain of oss-security-return-30087-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30087-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 1634 invoked by uid 550); 27 Apr 2024 13:28:21 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 31867 invoked from network); 27 Apr 2024 04:47:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714193269; x=1714798069; darn=lists.openwall.com; h=content-transfer-encoding:in-reply-to:references:subject:to :mime-version:user-agent:reply-to:from:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=DDtPdmTjY0Ndtm1CMsvDyeiic5Q32n9Kve+IpWS0ZMw=; b=hYYvUqIgmQgjRhQkf4eNNHJOZSGfRmXYaict0DpnSjs9a46iqMoUT9XWHhgGxyZwtU isoQDShGY+Mxnl9aoGJNUajupM2S1zvf1fexcVrQyP27YWyuo6ZgII7oXQ3mySrQLKC8 Q4dM4xlvrDwbcj1PnkDoOJu4MTg3qg/drH6hnh+KbxUQ5vzPNZiHR2rqmgJsrVCltH8p LNIGC6pnbeV6EpxSzoPSmUR8VR1tZfqklqDXTA6+IPbCYknpqPNzM8e8bpGYkvWB80EQ wJuGDrFWgGFOaegoVqnflFUAMsfPlmpVNv/GatUJnl9hcszMCb+RPZxsCDtjz623Fn6h Gd3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714193269; x=1714798069; h=content-transfer-encoding:in-reply-to:references:subject:to :mime-version:user-agent:reply-to:from:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DDtPdmTjY0Ndtm1CMsvDyeiic5Q32n9Kve+IpWS0ZMw=; b=NN1kPXDq22MdpubP/pwk8vVxsM2xVJxfTVzE+qQOueh85/9sH2/C0ukbsWv3pLp1d7 GHKfIJeUl+Icfz7VI//Oyk1N90PIyrUU190PHBt6ATlaerFTcLyMm9tfdaSqB+pNVnia v16/+YxlBV6Qpu4nrcAda9DuSoQex/x5ijWS7Ru3x7UJYnuWxIxuyEfS+CbSWay4e9WB vpV/BZGBq4eCDpsOZaT3mTEtu1gaLkF0bJA2Ixi/aSnS/aNF4k9XmJbAgnpqGTJQG+OF xFjC3Fs3xgZrXmrrd6/TX4hBMgVx4h0e/5DUpEBFd+el0DK96ECRZIwFuOn7d/hbf95v oITQ== X-Gm-Message-State: AOJu0YxE0SyCSvV6Nwgv9nkYZ1lKENAAG1zOrMXngpF0wsQ1lJij92Qv H9k2O1hTV8HwY5HmOMwlJHh8C+q+bjUMuSBhmjTROjw2402G6+fGS3+SRw== X-Received: by 2002:a4a:44c6:0:b0:5aa:4a0c:d99e with SMTP id o189-20020a4a44c6000000b005aa4a0cd99emr5786680ooa.8.1714193268585; Fri, 26 Apr 2024 21:47:48 -0700 (PDT) Message-ID: <662C8372.80709@gmail.com> Date: Fri, 26 Apr 2024 23:47:46 -0500 From: Jacob Bachmeyer User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 MIME-Version: 1.0 To: oss-security@lists.openwall.com References: <20240426135217.a103ce0c-a775-4a49-ae2c-94dfd64f6695@korelogic.com> In-Reply-To: <20240426135217.a103ce0c-a775-4a49-ae2c-94dfd64f6695@korelogic.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [oss-security] Update on the distro-backdoor-scanner effort Hank Leininger wrote: > [...] > > Where we are: main things investigated: > > - Similar exploitation toolkits / operator-behavior in other packages? > > [...] > > - Output is manageable; able to rule out all hits not part of the > actual xz-utils backdoors as false positives. > This is what I would expect: the backdoor dropper appears to have been specifically developed for xz-utils, but could /possibly/ be adaptable to other compression tools. This is a much narrower field to search than "every package in the distribution" and the potentially reusable "smoking gun" parts (the stage2 and actual blob) were hidden in a way that no scanner could plausibly find. That said, it would be possible to hide a similar backdoor in another package and use the /installed/ xz to unpack it, but this would (again) require very different patterns in the outermost dropper layers, since the backdoor would have to be hidden somehow in another file type. Most packages will not have xz files in their testsuites. While I do not believe that there are more backdoors to find, the chances of any string match based on this one finding another are tiny. > - Examine the provenance of every .m4 in every package unpacked above > > [...] > - Big TODOs here are to implement fuzzy hashing when we don't have > a perfect match, so that we can pick the best knowngood candidate > to offer a diff against and to group the unknowns amongst > themselves, and something to facilitate tracking of diff-review > (CSV or another sqlite DB that tracks review status?), and then > to actually read all the diffs (currently only spot-checked). > You might get better results by indexing macro definitions found in *.m4 files, instead of trying to fuzzily hash the files. The interesting comparison is then different definitions of macros with the same name. > - Compare decompression of xz-utils vs other compatible tools > > - Just to check for some obvious Thompsonesque weird machine where > xz injects malicious .c code into a tarball it unpacks, etc. Very > unlikely to find anything. > While I agree that this is unlikely, the crackers missed an opportunity: many (most?) modern Linux kernels are compressed using xz, which means that a Thompsonesque attack could binary-patch a freshly built kernel while compressing vmlinux to make vmlinuz. (The last time I watched a kernel build, Linux is first linked to produce a kernel image ("vmlinux"), which is then compressed and attached to a decompression stub to produce the final bootable image ("vmlinuz").) Accomplishing such an attack with a weird machine is /very/ unlikely. Having the inserted blob target xz itself would make far more sense, and the blob from this backdoor (according to reports so far) only targets sshd. > - Found nothing except some minor bugs in other decompressors (will > submit upstream bugs, but low priority). > I expect that you will find nothing here, but if you are paranoid enough, patching the Linux build process to run a similar comparison on common distribution kernels might be interesting. You would want to ensure that decompressing the compressed kernel image (preferably with a standalone decompressor derived from the xz-embedded used in Linux's decompression stub) yields the original uncompressed kernel image. > - Still plan to add more different decompressors for completeness. > I would like to suggest 7-zip here. > What's next: rough notions only, not yet implemented: > > - Analyze IFUNC real-world use. They're dodgy and weird and useful for > backdoors like this one. Removing IFUNC support from glibc has been > floated: https://marc.info/?l=glibc-alpha&m=171389592724184&w=4 > But that'll get hung up on "but what if users". AFAWK nobody knows. > So let's find out: survey sources & binaries from major distros and > get some actual numbers. Also thegrugq made an interesting > observation: it'd be telling which projects recently _added_ IFUNC > use, if any. See > https://github.com/hlein/distro-backdoor-scanner/issues/16 > The IFUNC mechanism is actually a security feature. In "inner-loop" code, having multiple implementations with different optimizations with the preferred implementation for the local processor chosen at runtime is fairly common. This is most common in cryptographic and other data-processing libraries, where small incremental improvements can significantly add up. The catch is that choosing an implementation at runtime means that you must dispatch through a function pointer somewhere, typically in the data segment, which is writable and leads to possible ways to hijack control if those function pointers can be corrupted. IFUNCs allow storing those function pointers in the PLT, which can be made read-only after relocation is completed, most importantly long before *any* input is processed, if LD_BIND_NOW or "-z now" are used to disable lazy binding. The backdoor does not seem (according to reports so far) to actually use the IFUNC mechanism as anything other than a way to gain control of execution early in process initialization. In fact, the backdoor's IFUNC resolver ran "too early" so the backdoor tampered with ld.so's data segment to register itself using parts of the LD_AUDIT mechanism, so it would be called later when the PLT entries that it actually wanted to hijack would exist. I am still unsure whether IFUNC was actually needed here or if __attribute__((__constructor__)) could achieve the same results. I currently suspect that the crackers used IFUNC support as a covert flag. The "jankiness" of the current glibc IFUNC implementation provided a convenient excuse to ask oss-fuzz to --disable-ifunc when building xz-utils, which *also* conveniently inhibited the backdoor dropper and ensured that the fuzzing builds would not contain the backdoor. > - Check for irregular contents in .pc files, inspired by Vegard > Nossum's oss-security post > https://marc.info/?l=oss-security&m=171335763115933&w=4 > This seems it'd be pretty easy to look for known bads. Starting > notes: https://github.com/hlein/distro-backdoor-scanner/issues/7 > Much easier: look for pkg-config descriptions containing text other than a variable definition. The pkg-config tool itself should probably enforce "cleanliness" on this matter and refuse to process files containing other text. (It also should complain about and reject an *-uninstalled.pc file found in the system directories, which was another logic error exploited in that sample backdoor.) -- Jacob