XZ attack

All links in the page were valid 2024-03-30 unless stated otherwise.

This page contains some material related to the XZ attack that went public 2024-03-29 (original email, and a tarball copy here).

This was a quite sophisticated attack and all involved assets have to be publicly available, for historical and educational purposes. So here they are. No analysis done, just raw material.

git.tar.bz2 contains a copy of https://github.com/tukaani-project/xz [dead link as of 2024-03-30]

Actually it's a copy of https://rocketgit.com/user/xz-mirror/xz. I didn't clone the original myself, I forgot, and the next day it was removed by github. I compared with https://git.tukaani.org/?p=xz.git;a=summary which is the original repository and content seems equal, minor the last funny commit with title "Docs: Simplify SECURITY.md." which is only present on the github repository and some "index" numbers that are different in the git log history.

To use git.tar.bz2, do:

  mkdir /tmp/xz
  cd /tmp/xz
  [get git.tar.bz2, put it in /tmp/xz]
  tar xf git.tar.bz2
  git reset --hard

To be exhaustive, here is a copy of the .git directory of https://git.tukaani.org/?p=xz.git;a=summary as downloaded 2024-03-29: git-orig.tar.bz2. Use it same way as git.tar.bz2.

Note: 2024-03-30: https://git.tukaani.org/?p=xz.git;a=summary is active and will be different from what I saw (which was commit 0b99783d63f27606936bb79a16c52d0d70c0b56f).

The malicious m4/build-to-host.m4 is not present in the git repository, only in source tarballs as found on the github place (which is dead as of 2024-03-30).

Here are the tarballs. I downloaded them 2024-03-29 from github, when they were still available.

• xz-5.6.0.tar.bz2
• xz-5.6.1.tar.bz2

The original report mentions "the upstream source of build-to-host", which is not defined further. From what I understand, this "upstream source" is gnulib, but I'm not sure (but this email seems to confirm my understanding).

Here is a diff between build-to-host.m4 as found in the malicious tarballs (both tarballs provide the same version of this file) and the version found in gnulib (version from git commit 4f63c2b6a7ba71c6371e1ab61f13127ede06d51a): build-to-host-diff.txt.

I extracted the payload, liblzma_la-crc64-fast.o, for both versions:

• payload-5.6.0.o
• payload-5.6.1.o

Links

Nice analysis of the script-part obfuscation by Gynvael Coldwind.

A set of tools were released by Anthony Weems to explore the xz backdoor, including a honeypot and a program to exploit the vulnerability (will not work on deployed backdoors, if any, because as of 2023-04-01 no one knows the private key of the attacker(s)).

This email is a good start to understand the payload.

Contact: see this

Created: 2024-03-30
Last update (more or less accurate): 2024-04-17