https://www.openwall.com/lists/oss-security/2024/03/29/4 ?

Vecr · on Aug 23, 2024

Yeah, what's posted by you and other users so far is stuff I know, build scripts, injection, obfuscation. I'm more looking for a careful reverse engineering of the actual payload.

rwmj · on Aug 23, 2024

https://www.youtube.com/watch?v=Q6ovtLdSbEA

This talk by Denzel Farmer at Columbia isn't a complete disassembly of the payload but it's the best I've seen so far.

Slides if you don't want to watch the video: https://cs4157.github.io/www/2024-1/lect/21-xz-utils.pdf

EvanAnderson · on Aug 23, 2024

Thanks for posting that. A quick perusal of those slides looks good. I know what I'm going to be reading and watching this evening!

EvanAnderson · on Aug 23, 2024

I haven't looked again in months, but I'd be interested in the same thing you're looking for. I poked at the payload with Ghidra for a little bit, realized it was miles above my pay grade, and stepped away. Everybody was wowed by the method of delivery but the payload itself seems to have proved fairly inscrutable.

Vecr · on Aug 23, 2024

I'd also like to see the timeline of XZ's landlock implementation, I haven't seen that discussed much.

deathanatos · on Aug 23, 2024

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b...

The link you want from that is this https://bsky.app/profile/filippo.abyssdomain.expert/post/3ko... ; that set of tweets has the high level overview.

They in turn links to https://github.com/amlweems/xzbot which has more details.

The TL;DR is that is hooks the RSA bits to look for an RSA cert with a public key that isn't really an RSA public key; the pubkey material contains a signed & encrypted request from the attacker, signed & encrypted with an ed448 key. If the signature checks out, system() is called, i.e., RCEaaS for the attacker.