q3k Mar 30, 2024

I have managed to extract a list of encoded strings within the liblzma/xz backdoor payload (5.6.1):

https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01

The code has a dictionary of strings that are encoded as a prefix trie, which helps to keep things stealthy. This is eg. then used to look up symbols, eg. bd_elf_lookup_hash(..., 0x2b0, ...) means bd_elf_lookup_hash(..., "__libc_stack_end", ...). This is also why it's slow :).

This should bring us one step closer to knowing what the binary payload does.

liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)

liblzma backdoor strings extracted from 5.6.1 (from a built-in trie) - hashes.txt

Gist
ÓscarMar 30, 2024
Show threadzeno
@q3k I got too curious about what that weird string was so I did a test, seems to just "defuse" the backdoor as running sshd with it makes it exit much faster than without.
Mar 30, 2024 at 5:57pmWeb
Show threaduisMar 30, 2024
Should have installed Gentoo: it doesn't use redhat's patches