|
From: | Jacob Bachmeyer |
Subject: | Re: follow-up on backdoor CPU usage (was: libsystemd dependencies) |
Date: | Fri, 26 Apr 2024 20:28:39 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 |
Jacob Bachmeyer wrote:
[...] The preliminary reports that it was an RCE backdoor that would pass commands smuggled in public key material in SSH certificates to system(3) (as root of course, since that is sshd's context at that stage) are inconsistent with the slowdown that caused the backdoor to be discovered. I doubt that SSH logins were using that code path, and the SSH scanning botnets almost certainly are not presenting certificates, yet it apparently (reports have been unclear on this point) was the botnet scanning traffic that led to the discovery of sshd wasting considerable CPU time in liblzma...I am waiting for the proverbial other shoe to drop on that one.
I have been given (<URL:https://www.openwall.com/lists/oss-security/2024/04/18/1>) a satisfactory explanation for the inconsistency: OpenSSH sshd uses exec(2) to reshuffle ASLR before accepting each connection, and the backdoor blob's tampering with the dynamic linking process greatly reduces the efficiency of ld.so on top of its own processing. The observable wasted CPU time was the backdoor's excessively-complex initialization, rather than any direct effect on sshd connection processing.
-- Jacob
[Prev in Thread] | Current Thread | [Next in Thread] |