from Hacker News

Ask HN: ELI5 the Xz Attack/Vuln

by plondon514 on 3/31/24, 2:41 AM with 8 comments

  • by FergusArgyll on 3/31/24, 3:17 AM

    I'll bite, I'll prob get a bunch wrong but you'll learn from the people who correct me...

    xz is a very commonly used compression tool (think zipped files etc.) so it's used everywhere, someone(s?) managed to slowly work their way into the project and inserted a backdoor.

    SSH is the main way to connect from your terminal to server, the most common way to connect is not via username/password but public/private key (google RSA). what this backdoor does is add a step to the SSH login process. instead of 1) check whether correct key was sent 2) if yes give access, if no say 'incorrect'. it adds one step 1.5) if key is {special evil key} then run all commands that owner of the special evil key says to run. Since the SSH service (program, whatever) runs as root (that's like admin on linux) the attacker with the special key can do basically anything.

    Worth noting, the bug technically has nothing to do with the compression program, it was sneaked in using it

  • by db48x on 3/31/24, 3:14 AM

    Xz is an open–source compression program, as well as a library that can be used to help you write your own program that deals with compressed data. It is used by a fairly large number of other programs, one of which is OpenSSH. OpenSSH is an open–source program that allows remote users to access a computer, usually a server, provided they have the correct credentials (such as a valid password or encryption key).

    Xx has a reasonably venerable history, and has passed from maintaner to maintainer several times in the past. A few years ago, a new maintainer stepped in to take the job. A few weeks ago he released a new version of the Xz library. This new version crashed a number of times when it was incorporated into Debian (an open–source Linux distribution of similar venerability). These crashes were investigated, and a back door was discovered.

    The new version of Xz detects that it has been compiled in to OpenSSH and adds it's own code to the part of the program that checks the credentials of the user who is logging in. When an incoming connection is encrypted, the back door code checks the encrypted data for a message signed by the back–door’s author. If one is discovered, the the message is executed immediately, instead of logging anyone in. The allows anyone with the right key to secretly execute arbitrary instructions on the targeted computer, usually with full root access. Obviously that's not something the Debian or OpenSSH developers want included in their programs.

  • by miduil on 3/31/24, 9:25 PM

    Computers with internet access can be remote controlled. Usually computers are like houses, only if you have the right key or are invited you are allowed to enter. The remote controller uses apps that combines other apps to allow remote controlling. One of the apps was changed with bad intentions so someone who is not invited can enter computers they don't own and see what is inside the computer or use the computer for themselves.