Article <uuc20s$1sek4$3@dont-email.me>

Deutsch English Français Italiano
<uuc20s$1sek4$3@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!news.nobody.at!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Rich <rich@example.invalid>
Newsgroups: comp.os.linux.misc
Subject: Re: Malware find in the news: xz related.
Date: Sun, 31 Mar 2024 16:12:13 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 34
Message-ID: <uuc20s$1sek4$3@dont-email.me>
References: <uu7r9s$kh5b$2@dont-email.me> <uua83j$19ff9$1@dont-email.me> <6608ab05@news.ausics.net> <6608acc9@news.ausics.net> <27bd4b53-920c-f119-6d15-7e844d4a39ea@example.net> <uubq8s$1qpft$1@dont-email.me> <uuc04d$1s3mb$1@dont-email.me>
Injection-Date: Sun, 31 Mar 2024 16:12:13 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="78fc1234267bd7aa8f7e558201269377";
	logging-data="1981060"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX19qv5X7RoLFYfaqYbWmrvhp"
User-Agent: tin/2.6.1-20211226 ("Convalmore") (Linux/5.15.139 (x86_64))
Cancel-Lock: sha1:8zos6w5dP66JSDktGjQFTT79KCI=
Bytes: 2528

Nuno Silva <nunojsilva@invalid.invalid> wrote:
> On 2024-03-31, Lew Pitcher wrote:
> 
>> On Sun, 31 Mar 2024 11:29:08 +0200, D wrote:
>>> How is this exploited? Does it require login/pw?
>>
>> An "infected" system just needs an SSH server exposed to the internet
>> to be exploited. The "bad actor" uses a pre-built key to initiate
>> contact and contact doesn't go any further than key validation.
>>
>> However, the key validation of a bad-actor key causes SSHd to extract
>> a payload from the key, and pass that payload to a system(3) call.
>>
>> So, while the "bad actor" initiator never officially "logs on" to 
>> the system (no userid, etc), they are afforded sshd privilege-level 
>> access to the system to run commands.
>>
>> HTH
> 
> If I understand correctly (please correct me if I'm wrong!), it's a 
> certificate, not a key.  While this may sound like nitpicking, in 
> this case it seems to matter a lot, because for *certificates*, the 
> hijacked function is invoked even if certificate authentication is 
> not enabled.
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=3675
> 

Given that it is a "backdoor", nitpicking whether it is a 'key' or a 
'certificate' for activation is a bit of bikeshedding.  It hardly 
matters that the bad actor used a "key" or a "certificate" to open 
their backdoor when they get the ability to run arbitrary commands on 
your system as the root user because of that same backdoor.