O mnie Moje standardy Książka Blog Video Blog
Menu
O mnie Kontakt

O co chodzi z backdoorem w XZ - skrajnie proste wyjaśnienie (film, 5m)

open-source bezpieczeństwo hacking Linux Wrażliwość backdoor XZ kompresja oprogramowanie Atak

W ostatnich dniach świat open source znalazł się w panice. Atak, który miał na celu narzędzie kompresji XZ, był tak zaawansowany i starannie zaplanowany, że dotknął wiele dystrybucji Linuksa, w tym Debian, Kali oraz OpenSUSE. Na szczęście TempleOS nie został zainfekowany, co wskazuje na to, że atak był jednym z najlepiej przeprowadzonych ataków na łańcuch dostaw w historii. Dzięki tajnemu tylnemu wejściu, które pozwalało przestępcy na wykonywanie dowolnego kodu na komputerze ofiary, sytuacja stała się niezwykle poważna. To nie jest zwykła podatność – to kwestia krytyczna, określona na poziomie 10.0 na skali CVE, znacznie wyżej niż słynne błędy takie jak Heartbleed czy Log4Shell. W dzisiejszym odcinku widzowie zostaną dokładnie poinformowani o tym, jak działa tylne wejście XZ oraz o niezwykłej historii jego odkrycia.

Toggle timeline summary

  • 00:00 Wprowadzenie do paniki w społeczności open source spowodowanej wyrafinowanym atakiem.
  • 00:03 Szczegóły dotyczące ataku wpływającego na narzędzie kompresji XZ i różne dystrybucje Linuksa.
  • 00:13 Podziw dla TempleOS, które nie zostało dotknięte, oraz powagi ataku na łańcuch dostaw.
  • 00:27 Porównanie poziomu zagrożenia do innych znanych luk.
  • 00:38 Zachęta do poznania tylnego wejścia XZ i jego przypadkowego odkrycia.
  • 00:51 Porada, aby zaktualizować, jeśli używasz dotkniętych dystrybucji Linuksa, podkreślająca wąski wpływ.
  • 01:06 Dokładne omówienie narzędzia XZUtils i jego roli w kompresji dla Linuksa.
  • 01:27 Wyjaśnienie, jak tylne wejście działa w bibliotece libLZMA.
  • 01:40 Odkrycie złośliwego kodu ukrytego w archiwach biblioteki.
  • 02:17 Informacje na temat technik zaciemniania używanych przez napastnika.
  • 02:31 Kluczowa rola Andrésa Freund w odkryciu nieprawidłowości.
  • 02:59 Spekulacje na temat tożsamości napastnika, łączące to z kontrybutorami.
  • 03:31 Analogia porównująca sytuację do właściciela i najemcy z nieautoryzowanym nadzorem.
  • 04:12 Ostateczne przemyślenia na temat potencjalnej inteligencji stojącej za atakiem.
  • 04:30 Podsumowanie i podziękowanie za oglądanie, z humorystycznym poleceniem.

Transcription

Over the last few days, the open source world has been in panic mode. A highly sophisticated and carefully planned attack, affecting the XZ compression tool, was shipped to production and has compromised Linux distros like Debian, Kali, OpenSUSA, and others. Thank God, TempleOS is unaffected though, and it's quite possibly one of the most well-executed supply chain attacks of all time, and gives some random dude unfettered access to execute code on your machine via a secret backdoor. This is not your everyday security vulnerability. It's a threat level midnight 10.0 critical issue on the CVE Richter scale, even higher than famous bugs like Heartbleed, Log4Shell, and Shellshock. In today's video, you'll learn exactly how the XZ backdoor works, and the incredible story of how it was discovered by accident. It is April 1st, 2024, and you're watching The Code Report. Unfortunately, this is not an April Fool's video. If you happen to be using one of the Linux distros listed here, you'll want to upgrade immediately. Luckily, it only affects a very narrow set of distros, most of which are unstable builds, but that's only because this backdoor was discovered by pure luck early on. More on that in just a second. Let's first take a deep dive into this backdoor. XZUtils is a tool for compressing and decompressing streams based on the Lempel Ziv Markov Chain Algorithm, or LZMA. It contains a command line tool that's installed on most Linux distros by default, which you can use right now with the XZ command, but also contains an API library called libLZMA, and many other pieces of software depend on this library to implement compression, one of which is SSHD, or Secure Shell Daemon, a tool that listens to SSH connections, like when you connect your local machine to the terminal on a cloud server. Now here's where the backdoor comes in, but keep in mind, researchers are still figuring out exactly how this thing works. Malicious code was discovered in the tarballs of libLZMA, which is the thing that most people actually install. That malicious code is not present in the source code, though. It uses a series of obfuscations to hide the malicious code, then at build time, it injects a pre-built object disguised as a test file that lives in the source code. It modifies specific parts of the LZMA code, which ultimately allows the attacker to intercept and modify data that interacts with this library. Researchers have also discovered that any payload sent to the backdoor must be signed by the attacker's private key. In other words, the attacker is the only one who can send a payload to the backdoor, making it more difficult to test and monitor. And the attacker went to great lengths to obfuscate the code like it contains no ASCII characters, and instead has a built-in state machine to recognize important strings. Now because the vast majority of servers that power the internet are Linux-based, this backdoor could have been a major disaster. Luckily though, a hero software engineer named Andres Freund was using the unstable branch of Debian to benchmark Postgres. He noticed something weird that most people would overlook. SSH logins were using up more CPU resources than normal. Initially he thought it was an issue in Debian directly, but after some investigation, discovered it was actually upstream in XE utils. And that's really bad because so many things depend on this tool. In German, his last name translates to Freund, which is fitting because he single-handedly helped the world avoid a multi-billion dollar disaster. But whodunit, who's the bad guy here? At this point it's unclear. The libLZMA project is maintained by Lassie Collin. However, the malicious tarballs are signed by Jia Tan, a contributor to the project. This individual has been a trusted contributor for the last few years, but clearly they've been playing the long game. They spent years building up trust before trying the backdoor, and nobody even noticed when they made their move. I say they because we don't know if this is an individual or a penetration attempt from a rogue state like Russia, North Korea, or the United States. Here's a non-technical analogy. Imagine there's a landlord, we'll call him Lassie Collin, who manages a popular apartment building. It's a lot of work, but this young enthusiastic guy has been super helpful over the last couple years, adding all sorts of upgrades and renovations. Let's call him Jia Tan. He does great work, but he's also been secretly installing cameras in the bathrooms, which only he can access from the internet with his password. Now he would have gotten away with it too if it weren't for a pesky tenant named Andres, who happened to notice that his electricity bill was just a little bit higher than usual. He started looking behind the walls and found some unexpected wires that led right to the unauthorized cameras. At this point we don't know the true identity of the hacker, but whoever did this was looking to cast a very wide net, and because it's protected by a secret key, can only be exploited by one party. XZ was a sitting duck because it's extremely popular, while also being very boring with a single maintainer. Whoever's behind this is either an extremely intelligent psychopath, or more likely a group of state-sponsored dimension-hopping lizard people hellbent on world domination, and that's why the only distro you should use is TempleOS. This has been The Code Report. Thanks for watching, and I will see you in the next one.

1245437
https://youtu.be/bS9em7Bg0iU Opublikowano 2024-04-05