the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
it requires sending a properly crafted command to the RSA_public_decrypt hook, which will then install another for the `mm_answer_keyallowed` sshd function. subsequently you offer N more fake ssh-rsa pubkeys which are crafted in a special way to chunk together .. 2/n
a "magic buffer" which contains more backdoor commands, this buffer also has two additional ed448 signatures. which like the ones for the RSA_public_decrypt portion of the backdoor are salted with the SHA256 digest of the hostkey
the final signature also takes into account the session_id (0x20 bytes) that is derived during the initial key exchange (KEX) for the SSH session. my current PoC implementation uses a heavily monkey patched paramiko (ssh client) library to achieve this
currently I'm just triggering command 0x03 in this part of the code, which allows for a basic RCE through system() again. (also lets you set uid/gid). but there's more code that needs to be understood. it looks like a full auth bypass (interactive session) is possible!
(that conclusion is based on the fact that one of the mm_answer_keyallowed backdoor commands also hooks mm_answer_keyverify, eventually)
whoever designed this stuff had to take a deep dive into openSSH(d) internals (and so did I for the past couple of days, oof) .. hats off, once again :)
mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass 🤓
• • •
Missing some Tweet in this thread? You can try to
force a refresh
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. github.com/blasty/JiaTans…
this is kind of how I imagine the Real Threat Actor was planning to use this tooling: with (mostly) stock client and the secret sauce provided by a custom ssh agent. my implementation is rough around the edges.. so PR's and additions welcome (kinda burnt out from this lol)
works with scp too etc. (make sure to copy patched ssh client binary to the right folder since scp execve's it..)
q3k from @DragonSectorCTF has figured out the string/symbol obfuscation in the xz backdoor! there's appears to be a lot more going on then reported in the initial report.mastodon.social/@q3k@hackerspa…
a myriad of libcrypto routines are being resolved, password auth is likely bypassed as well. logging infra for sshd is hooked to prevent auth bypasses ending up in syslog. there's hooks for setresgid/setresuid, likely used to prevent privdrop when auth'ing as non-root
'auth_root_allowed' is also resolved for sshd instances that don't allow root login (common), and there's a mystery string I haven't been able to find referenced in the code so far: "yolAbejyiejuvnup=Evjtgvsh5okmkAvj"