Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
blasty Profile picture
@bl4sty
Apr 6 8 tweets 2 min read Read on X
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n Image
it requires sending a properly crafted command to the RSA_public_decrypt hook, which will then install another for the `mm_answer_keyallowed` sshd function. subsequently you offer N more fake ssh-rsa pubkeys which are crafted in a special way to chunk together .. 2/n
a "magic buffer" which contains more backdoor commands, this buffer also has two additional ed448 signatures. which like the ones for the RSA_public_decrypt portion of the backdoor are salted with the SHA256 digest of the hostkey
the final signature also takes into account the session_id (0x20 bytes) that is derived during the initial key exchange (KEX) for the SSH session. my current PoC implementation uses a heavily monkey patched paramiko (ssh client) library to achieve this
currently I'm just triggering command 0x03 in this part of the code, which allows for a basic RCE through system() again. (also lets you set uid/gid). but there's more code that needs to be understood. it looks like a full auth bypass (interactive session) is possible!
(that conclusion is based on the fact that one of the mm_answer_keyallowed backdoor commands also hooks mm_answer_keyverify, eventually)
whoever designed this stuff had to take a deep dive into openSSH(d) internals (and so did I for the past couple of days, oof) .. hats off, once again :)
auth bypass confirmed!

> INFO:paramiko.transport:Authentication (password) successful!

mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass 🤓

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with blasty

blasty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @bl4sty

blasty Profile picture
Apr 8
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. github.com/blasty/JiaTans…
Image
this is kind of how I imagine the Real Threat Actor was planning to use this tooling: with (mostly) stock client and the secret sauce provided by a custom ssh agent. my implementation is rough around the edges.. so PR's and additions welcome (kinda burnt out from this lol)
works with scp too etc. (make sure to copy patched ssh client binary to the right folder since scp execve's it..) Image
Read 6 tweets
blasty Profile picture
Mar 30
q3k from @DragonSectorCTF has figured out the string/symbol obfuscation in the xz backdoor! there's appears to be a lot more going on then reported in the initial report.mastodon.social/@q3k@hackerspa…
a myriad of libcrypto routines are being resolved, password auth is likely bypassed as well. logging infra for sshd is hooked to prevent auth bypasses ending up in syslog. there's hooks for setresgid/setresuid, likely used to prevent privdrop when auth'ing as non-root
'auth_root_allowed' is also resolved for sshd instances that don't allow root login (common), and there's a mystery string I haven't been able to find referenced in the code so far: "yolAbejyiejuvnup=Evjtgvsh5okmkAvj"
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(