Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
blasty Profile picture
blasty
@bl4sty
irresponsible disclosure aficionado
4 subscribers
Apr 8, 2024 6 tweets 2 min read
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out. github.com/blasty/JiaTans…
Image this is kind of how I imagine the Real Threat Actor was planning to use this tooling: with (mostly) stock client and the secret sauce provided by a custom ssh agent. my implementation is rough around the edges.. so PR's and additions welcome (kinda burnt out from this lol)
Apr 6, 2024 8 tweets 2 min read
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n Image it requires sending a properly crafted command to the RSA_public_decrypt hook, which will then install another for the `mm_answer_keyallowed` sshd function. subsequently you offer N more fake ssh-rsa pubkeys which are crafted in a special way to chunk together .. 2/n
Mar 30, 2024 4 tweets 1 min read
q3k from @DragonSectorCTF has figured out the string/symbol obfuscation in the xz backdoor! there's appears to be a lot more going on then reported in the initial report.mastodon.social/@q3k@hackerspa… a myriad of libcrypto routines are being resolved, password auth is likely bypassed as well. logging infra for sshd is hooked to prevent auth bypasses ending up in syslog. there's hooks for setresgid/setresuid, likely used to prevent privdrop when auth'ing as non-root