I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b
Filippo Valsorda :go: /
npub1wh…akn2m
2024-03-30 17:31:18
Author Public Key
npub1whzyg92c6fsvpjjcnn504z0a2pfwenctp872sgmedqg2np4drj8qwakn2mPublished at
2024-03-30 17:31:18Event JSON
{
"id": "c9096e50e137097c9fdd9b9297aeaf1ec959070e8e95042dda08e7d8624cee94",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1711819878,
"kind": 1,
"tags": [
[
"proxy",
"https://abyssdomain.expert/users/filippo/statuses/112185827553387306",
"activitypub"
]
],
"content": "I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.\n\nThe hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().\n\nIt's RCE, not auth bypass, and gated/unreplayable.\n\nMore details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b",
"sig": "00f2ff1c66acc63dbb2632ddb215cd57f29a793861da3328977e55e68eac799108e87d413128a75aec047fea34d5d2ad8cdaef9b67b0cc42b73e554dc8d5fc6f"
}