Thomas Roccia Mar 31, 2024

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz

Show threadDaniel BöhmerMar 31, 2024
@fr0gger I think I understood the attack so far that the #xz binary would later infect #OpenSSH to make it vulnerable to #RemoteCodeExecution. Am I wrong or could you extend the chart with that mechanism? That'd be great!
Show threadMichael Jaeger 🇺🇦

@dboehmer
As far as I understood it, this is correct. The sshd binary is patched by #xz in a way that if one authenticates with a dedicated key, then the payload is passed to a `system()` call, i.e., enabling an RCE.
@fr0gger

Edit: However, this seems to happen only under certain circumstances (e.g. Linux systems, Intel architecture, no debugging enabled).

Apr 1, 2024 at 8:41amFedilab