Re: Malware find in the news: xz related.

Liste des GroupesRevenir à col misc 
Sujet : Re: Malware find in the news: xz related.
De : invalid (at) *nospam* invalid.invalid (Richard Kettlewell)
Groupes : comp.os.linux.misc
Date : 31. Mar 2024, 22:37:59
Autres entêtes
Organisation : terraraq NNTP server
Message-ID : <wwvsf06rsjs.fsf@LkoBDZeT.terraraq.uk>
References : 1 2 3 4 5 6 7
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Nuno Silva <nunojsilva@invalid.invalid> writes:
On 2024-03-31, Lew Pitcher wrote:

An "infected" system just needs an SSH server exposed to the internet
to be exploited. The "bad actor" uses a pre-built key to initiate
contact and contact doesn't go any further than key validation.
>
However, the key validation of a bad-actor key causes SSHd to extract
a payload from the key, and pass that payload to a system(3) call.
>
So, while the "bad actor" initiator never officially "logs on" to
the system (no userid, etc), they are afforded sshd privilege-level
access to the system to run commands.
>
If I understand correctly (please correct me if I'm wrong!), it's a
certificate, not a key. While this may sound like nitpicking, in this
case it seems to matter a lot, because for *certificates*, the hijacked
function is invoked even if certificate authentication is not enabled.
>
https://bugzilla.mindrot.org/show_bug.cgi?id=3675

You’re both right: the payload is conveyed the public modulus of a
(purported) RSA key, but the hooked function (RSA_public_decrypt)
performs signature verification (not key validation), and sshd’s rather
eager approach to user certificate verification seems to be the most
promising target for the attacker.

More info:
1) https://openwall.com/lists/oss-security/2024/03/29/4
2) https://openwall.com/lists/oss-security/2024/03/30/36
3) https://openwall.com/lists/oss-security/2024/03/30/37

The bit in #2 about verifying a signature under a server’s host key
doesn’t sound quite right: the attack (in the form presented in xz) only
attacks sshd, which generates signatures using host keys, rather than
verifying them.

Incredibly good luck that it was spotted before it was too widely
deployed. Or bad luck if you were the originator l-)

--
https://www.greenend.org.uk/rjk/

Date Sujet#  Auteur
30 Mar 24 * Malware find in the news: xz related.59pH
30 Mar 24 +- Re: Malware find in the news: xz related.1Woozy Song
30 Mar 24 +* Re: Malware find in the news: xz related.2Eli the Bearded
31 Mar 24 i`- Re: Malware find in the news: xz related.1Computer Nerd Kev
31 Mar 24 +* Re: Malware find in the news: xz related.25MarioCCCP
31 Mar 24 i`* Re: Malware find in the news: xz related.24Computer Nerd Kev
31 Mar 24 i `* Re: Malware find in the news: xz related.23Computer Nerd Kev
31 Mar 24 i  +* Re: Malware find in the news: xz related.16D
31 Mar 24 i  i`* Re: Malware find in the news: xz related.15Lew Pitcher
31 Mar 24 i  i +* Re: Malware find in the news: xz related.12Nuno Silva
31 Mar 24 i  i i+- Re: Malware find in the news: xz related.1Lew Pitcher
31 Mar 24 i  i i+- Re: Malware find in the news: xz related.1Rich
31 Mar 24 i  i i`* Re: Malware find in the news: xz related.9Richard Kettlewell
1 Apr 24 i  i i `* Re: Malware find in the news: xz related.8Carlos E.R.
1 Apr 24 i  i i  `* Re: Malware find in the news: xz related.7Rich
2 Apr 24 i  i i   `* Re: Malware find in the news: xz related.6Carlos E.R.
6 Apr 24 i  i i    `* Re: Malware find in the news: xz related.5MarioCCCP
6 Apr 24 i  i i     `* Re: Malware find in the news: xz related.4Rich
6 Apr 24 i  i i      `* Re: Malware find in the news: xz related.3The Natural Philosopher
7 Apr 24 i  i i       +- Re: Malware find in the news: xz related.1Computer Nerd Kev
8 Apr 24 i  i i       `- Re: Malware find in the news: xz related.1Rich
31 Mar 24 i  i +- Re: Malware find in the news: xz related.1D
6 Apr 24 i  i `- Re: Malware find in the news: xz related.1Popping Mad
31 Mar 24 i  +- Re: Malware find in the news: xz related.1Woozy Song
31 Mar 24 i  `* Re: Malware find in the news: xz related.5Carlos E.R.
31 Mar 24 i   +- Re: Malware find in the news: xz related.1David W. Hodgins
31 Mar 24 i   `* Re: Malware find in the news: xz related.3D
31 Mar 24 i    `* Re: Malware find in the news: xz related.2Carlos E.R.
1 Apr 24 i     `- Re: Malware find in the news: xz related.1D
31 Mar 24 `* Re: Malware find in the news: xz related.30John McCue
31 Mar 24  `* Re: Malware find in the news: xz related.29Grant Taylor
31 Mar 24   +* Re: Malware find in the news: xz related.11David W. Hodgins
31 Mar 24   i+* Re: Malware find in the news: xz related.8Rich
31 Mar 24   ii`* Re: Malware find in the news: xz related.7David W. Hodgins
31 Mar 24   ii `* Re: Malware find in the news: xz related.6Lew Pitcher
31 Mar 24   ii  `* Re: Malware find in the news: xz related.5Marco Moock
31 Mar 24   ii   `* Re: Malware find in the news: xz related.4Grant Taylor
31 Mar 24   ii    +- Re: Malware find in the news: xz related.1David W. Hodgins
1 Apr 24   ii    `* Re: Malware find in the news: xz related.2Marco Moock
1 Apr 24   ii     `- Re: Malware find in the news: xz related.1Grant Taylor
31 Mar 24   i`* Re: Malware find in the news: xz related.2Grant Taylor
31 Mar 24   i `- Re: Malware find in the news: xz related.1Marc Haber
31 Mar 24   `* Re: Malware find in the news: xz related.17Rich
31 Mar 24    +* Re: Malware find in the news: xz related.4David W. Hodgins
31 Mar 24    i+* Re: Malware find in the news: xz related.2Grant Taylor
31 Mar 24    ii`- Re: Malware find in the news: xz related.1Richard Kettlewell
31 Mar 24    i`- Re: Malware find in the news: xz related.1D
31 Mar 24    +* Re: Malware find in the news: xz related.7Carlos E.R.
31 Mar 24    i`* Re: Malware find in the news: xz related.6D
31 Mar 24    i +* Re: Malware find in the news: xz related.4Carlos E.R.
31 Mar 24    i i`* Re: Malware find in the news: xz related.3Computer Nerd Kev
1 Apr 24    i i +- Re: Malware find in the news: xz related.1candycanearter07
1 Apr 24    i i `- Re: Malware find in the news: xz related.1John Dallman
6 Apr 24    i `- Re: Malware find in the news: xz related.1Popping Mad
31 Mar 24    `* Re: Malware find in the news: xz related.5Grant Taylor
1 Apr 24     +- Re: Malware find in the news: xz related.1Rich
1 Apr 24     `* Re: Malware find in the news: xz related.3Marco Moock
7 Apr 24      `* Re: Malware find in the news: xz related.2Carlos E.R.
7 Apr 24       `- Re: Malware find in the news: xz related.1John Dallman

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal