Conversation

Notices

1. Embed this notice
   Dare Obasanjo (carnage4life@mas.to)'s status on Saturday, 06-Apr-2024 22:24:24 JST Dare Obasanjo

   A good question is how often tactics like this have worked given how unlikely the discovery was?

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 06-Apr-2024 22:24:23 JST Rich Felker

     in reply to

     @carnage4life Unlikely because this would have been discovered almost immediately after actual deployment if it hadn't been caught when it was. There would have only been a short window to use it.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Sunday, 07-Apr-2024 21:07:01 JST Rich Felker

     in reply to

     • Giovanni Gherdovich

     @ggherdov @carnage4life Sadly that report wasn't investigated well. The "can't repro from git" should have led immediately to diff between release & git.. And the "fix" was very obviously sweeping bug under rug, not fixing it.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Giovanni Gherdovich (ggherdov@fosstodon.org)'s status on Sunday, 07-Apr-2024 21:07:06 JST Giovanni Gherdovich

     in reply to

     • Rich Felker

     @dalias @carnage4life I see. Makes sense. Indeed Red Hat/Fedora caught it already on March 4th running valgrind, only the attacker managed to bamboozle them arguing there was nothing to see. Attacker then upgraded the malware to 5.6.1.
     https://bugzilla.redhat.com/show_bug.cgi?id=2267598 "Invalid writes regression in liblzma.so" You can't get away with such shenanigans forever.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Sunday, 07-Apr-2024 21:07:07 JST Rich Felker

     in reply to

     • Giovanni Gherdovich

     @ggherdov @carnage4life The attacker was forced to use this type of flashy hack to get injected because they couldn't actually get commit permissions for any code that should be running in sshd, only this unrelated library that distros were wrongly pulling in for systemd integration reasons.

   • Embed this notice
     Giovanni Gherdovich (ggherdov@fosstodon.org)'s status on Sunday, 07-Apr-2024 21:07:08 JST Giovanni Gherdovich

     in reply to

     • Rich Felker

     @dalias @carnage4life Rich, if you say that, it's probably true. Can you expand a little on why you think so? It's a honest question, I'm trying to understand

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Sunday, 07-Apr-2024 21:07:08 JST Rich Felker

     in reply to

     • Giovanni Gherdovich

     @ggherdov @carnage4life Folks end up running stuff under debuggers, ltrace, strace, LD_AUDIT, valgrind, etc. all the time. Not many %-wise, but at that scale of use, it's still a lot of ppl. Code poking at another library's PLT or whatever it did to inject itself would be extremely sus. IFUNC resolver making calls at all is sus and very fragile, could probably fail & crash under some configurations.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Sunday, 07-Apr-2024 21:07:44 JST Rich Felker

     in reply to

     • Giovanni Gherdovich

     @ggherdov @carnage4life I'd really like to normalize both upstream maintainers & distro packaging maintsiners not accepting "fixes" (keeping it open, seeking expert input) unless they fully understand the bug and the proposed fix.

     Haelwenn /элвэн/ :triskell: likes this.