BLOG

/

THREATS & VULNERABILITIES

[CVE-2024-3094]: Critical Backdoor Vulnerability found in XZ Utils which Exposes SSH to Compromise

Highlights the identification of a critical backdoor vulnerability in XZ Utils, presenting a serious security threat.

Highlights the identification of a critical backdoor vulnerability in XZ Utils, presenting a serious security threat.

Wednesday, 10 April, 2024

[CVE-2024-3094]: Critical Backdoor Vulnerability
[CVE-2024-3094]: Critical Backdoor Vulnerability
[CVE-2024-3094]: Critical Backdoor Vulnerability

In this blog post, we'll discuss the recent hot topic over a week: the Backdoor XZ attack.

In Unix-like operating systems, "XZ Utils" is a notable open-source tool utilized for compressing and decompressing files using the LZMA (Lempel–Ziv–Markov chain algorithm) compression algorithm. It offers high compression ratios and fast decompression speeds, and serves as a popular choice in Linux distributions.

There are two main components of XZ Utils include

  1. XZ: A command-line tool for compressing and decompressing files, similar to gzip.

  2. liblzma: A software library featuring an API similar to zlib, used for compression and decompression operations in applications.

Vulnerability Details

CVE ID: CVE-2024-3094 | Severity: 10.0

Description:
Malicious code embedded in XZ Utils which compromises SSH and performs RCE.

* Remote Code Execution (RCE)
* Secure Shell (SSH)

Vulnerability Background

How does the backdoors work?

A backdoor typically operates by exploiting vulnerabilities within a system's security infrastructure to enable unauthorized access. Once established, it allows attackers to bypass standard authentication methods, granting them remote control over the system. This control can be utilized for executing commands, exfiltrating sensitive data, deploying malware, or conducting other malicious actions without the legitimate users' awareness. Backdoors are often concealed or obfuscated to evade detection by security measures.

Attack Sequence

This attack involves multiple components within the backdoor. Release tarballs from upstream and GitHub contain different code, a common practice in C projects for user convenience. Notably, the version of build-to-host.m4 differs significantly between the release tarballs and the upstream GitHub repository.

The Git repositories, there are two crafted files in the tests/ folder. Here's the commit Path:

tests/files/bad-3-corrupt_lzma2.xz
tests/files/good-large_compressed.lzma

These files are referenced by a script invoked by build-to-host.m4, which modifies the build process using the test data.

...
gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
...
gl_path_map='tr "\t \-_" " \t_\-"'

In the above mentioned 2nd line of script tr "\t \-_" " \t_\-", which represents the following substitution in bytes streamed from the tests/files/bad-3-corrupt_lzma2.xz file:

0x09 (\t) are replaced with 0x20,
0x20 (whitespace) are replaced with 0x09,
0x2d (-) are replaced with 0x5f,
0x5f (_) are replaced with 0x2d,

Those actually "uncorrupts" the bad-3-corrupt_lzma2.xz, and forms a proper xz stream again

Eventually, the malicious code hooks the Procedure Linkage Table (PLT), targeting the "RSA_public_decrypt@....plt" function to redirect it to its own code.

The Procedure Linkage Table (PLT) is a data structure found in executable files on Unix-like systems, especially in shared libraries. It contains function addresses, enabling dynamic linking at runtime. When a program invokes a function from a shared library, the PLT redirects the call to the correct function address, facilitating dynamic linking without prior knowledge of memory addresses.

Kali Linux:
if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | 
  grep -Eq "linux-gnu$" > /dev/null 2>&1);then

It also checks for the toolchain being used:
if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
exit 0
fi
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
LDv=$LD" -v"
if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
exit 0

Debian or Red Hat package:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

IFUNC, a feature within glibc enabling indirect function calls, is leveraged to redirect OpenSSH's authentication routines at runtime, constituting a form of runtime hooking. Although typically utilized for legitimate purposes, IFUNC is exploited in this context for malicious activities. Furthermore, the release tarballs issued by upstream differ from those generated automatically on GitHub. These modified tarballs incorporate a malicious build-to-host.m4 version, executing a script during the build process.

The exploit requires several runtime conditions

  1. The TERM environment variable must be unset, indicating that SSH client-server communication hasn't begun, which aligns with the exploit’s targeted stage.

  2. The process executing the malicious code must have a binary path of /usr/sbin/sshd, ensuring  the activation of sshd which uses the libzlma library.

  3. LD_DEBUG and LD_PROFILE environment variables must be unset.

  4. The exploit relies on the LANG environment variable being set, as it aligns with the behavior of the SSH daemon (sshd) which sets LANG.

  5. The exploit employs an anti-debugging technique by detecting debugging tools like rr and gdb. If these tools are found, the exploit refrains from execution.

Impact of Vulnerability on SSH Daemon Service

When authenticating with the SSH service, the user exchanges RSA keys with the server. The malicious code is triggered during the verification process in the server-side code:

sshd 1736357 [010] 714318.734008: 1 branches:uH: 5555555ded8c ssh_rsa_verify+0x49c (/usr/sbin/sshd) => 5555555612d0 RSA_public_decrypt@...+0x0 (/usr/sbin/sshd)

Then, the backdoor initiates a call back into libcrypto, likely to execute typical authentication processes:

sshd 1736357 [010] 714318.734009: 1 branches:uH: 7ffff7c137cd [unknown] (/usr/lib/x86_64-linux-gnu/liblzma.so.5.6.0) => 7ffff792a2b0 RSA_get0_key+0x0 (/usr/lib/x86_64-linux-gnu/libcrypto.so.3)

It appears that the same function hooked during the liblzma build process is involved. The malicious code seems to function as a backdoor, enabling attackers to bypass authentication and execute Remote Code Execution (RCE).

Affected Distributions

Debian     - Unstable / sid ranging from 5.5.1alpha-0.1 up to 5.1.1-1.
Kali Linux - Packages updated between March 26th to March 29th, 2024.
OpenSUSE   - Rolling releases of Tumbleweed and MicroOS between March 7-28, 2024.
Arch Linux - Virtual machine images March 01, 2024 and March 15, 2024.                         
             Container images created between February 24th, 2024, and March 28th, 2024.
RedHat     - Rawhide and Fedora 40 Beta

Conclusion:

The critical backdoor vulnerability found in XZ Utils poses a serious threat, especially for SSH-dependent systems. Exploitation could result in unauthorized access and data compromise. To mitigate risks, prompt patching is essential, along with proactive security measures and vigilant monitoring. By staying informed and taking proactive steps, organizations can effectively safeguard their systems and data.

Happy Hunting !!!