Analysis of bash-stage obfuscation used to hide the liblzma/xz backdoor (gynvael.coldwind.pl)

submitted 5 months ago by underisk@hexbear.net to c/technology@hexbear.net

2 comments fedilink hide all child comments

payload appears to have been hidden in test data then decrypted and injected during the build process.

top 2 comments

sorted by: hot top controversial new old

[-] addie@feddit.uk 3 points 5 months ago

Okay - so it was cleverly hidden. Real question is what the binary blob does, so we can properly assess the damage...

[-] underisk@hexbear.net 2 points 5 months ago

Preliminary stuff I read yesterday suggests that it’s RCE triggered by a signal sent to SSHD. Safest bet is to nuke your system if you had the exploitable library running with an exposed sshd.

this post was submitted on 30 Mar 2024

13 points (100.0% liked)

technology

23179 readers

315 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 4 years ago

MODERATORS

Jadzia_Dax@hexbear.net

blashork@hexbear.net

context@hexbear.net

EmmaGoldman@hexbear.net

SexUnderSocialism@hexbear.net

gaycomputeruser@hexbear.net

ZoomeristLeninist@hexbear.net