Path: ...!news.nobody.at!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Rich Newsgroups: comp.os.linux.misc Subject: Re: Malware find in the news: xz related. Date: Sun, 31 Mar 2024 16:12:13 -0000 (UTC) Organization: A noiseless patient Spider Lines: 34 Message-ID: References: <6608ab05@news.ausics.net> <6608acc9@news.ausics.net> <27bd4b53-920c-f119-6d15-7e844d4a39ea@example.net> Injection-Date: Sun, 31 Mar 2024 16:12:13 +0200 (CEST) Injection-Info: dont-email.me; posting-host="78fc1234267bd7aa8f7e558201269377"; logging-data="1981060"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19qv5X7RoLFYfaqYbWmrvhp" User-Agent: tin/2.6.1-20211226 ("Convalmore") (Linux/5.15.139 (x86_64)) Cancel-Lock: sha1:8zos6w5dP66JSDktGjQFTT79KCI= Bytes: 2528 Nuno Silva wrote: > On 2024-03-31, Lew Pitcher wrote: > >> On Sun, 31 Mar 2024 11:29:08 +0200, D wrote: >>> How is this exploited? Does it require login/pw? >> >> An "infected" system just needs an SSH server exposed to the internet >> to be exploited. The "bad actor" uses a pre-built key to initiate >> contact and contact doesn't go any further than key validation. >> >> However, the key validation of a bad-actor key causes SSHd to extract >> a payload from the key, and pass that payload to a system(3) call. >> >> So, while the "bad actor" initiator never officially "logs on" to >> the system (no userid, etc), they are afforded sshd privilege-level >> access to the system to run commands. >> >> HTH > > If I understand correctly (please correct me if I'm wrong!), it's a > certificate, not a key. While this may sound like nitpicking, in > this case it seems to matter a lot, because for *certificates*, the > hijacked function is invoked even if certificate authentication is > not enabled. > > https://bugzilla.mindrot.org/show_bug.cgi?id=3675 > Given that it is a "backdoor", nitpicking whether it is a 'key' or a 'certificate' for activation is a bit of bikeshedding. It hardly matters that the bad actor used a "key" or a "certificate" to open their backdoor when they get the ability to run arbitrary commands on your system as the root user because of that same backdoor.