I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system(). It's RCE, not auth bypass, and gated/unreplayable.

Beloved, I'm so glad this was caught. Would be a nightmare if it went into production

The payload is extracted from the N value (the public key) passed to RSA_public_decrypt, checked against a simple fingerprint, and decrypted with a fixed ChaCha20 key before the Ed448 signature verification.

Is there someplace we can still download it for analysis?

It's been wild telling non-tech friends about this. I don't think any of them truly grasp how cataclysmic this is.

Thanks for sharing!

Is it already known with certain confidence, whether any version of the backdoor automatically pulled in exploit code from remote on it's own? IOW, are people that had compromised versions, but whose sshd was either not running or behind a firewall guaranteed to be safe and not further compromised?

It's a wild one indeed! Incredibly lucky that Andres Freund caught it when he did! IMHO, ZeroTrust + defense in depth strategy combined with good anomaly detection and continuous monitoring is probably the only practical option to mitigate risks, and contain any damage from such motivated actors!

Yup. Only got caught because someone noticed ssh running slow. 😁