Vulnerability in xz Utils package: History of the attack, introduction of attackers, cryptanalysis and consequences for Bitcoin and Ethereum cryptocurrencies

06.06.2024
Vulnerability in xz Utils package: History of the attack, introduction of attackers, cryptanalysis and consequences for Bitcoin and Ethereum cryptocurrencies

xz Utils is a set of data compression tools that is widely used in various operating systems and applications. xz Utils is used for data compression, which uses the LZMA2 compression algorithm. It is often used to compress files and archives to reduce their size and make data easier to store and transfer. However, in the context of developing and distributing Bitcoin-related software, xz Utils may be useful. For example, developers can use xz Utils to compress binary files or source code for Bitcoin-related software to reduce download sizes and speed up data transfer processes.

Thus, although xz Utils is not directly related to the operation or use of Bitcoin as a cryptocurrency, it can be a useful tool in the process of developing and distributing Bitcoin-related software.

The main component of the package, xz provides highly efficient data compression using the LZMA2 algorithm. Despite its popularity and effectiveness, like any other software product, xz Utils is not immune to vulnerabilities. In this article we will look at one of these vulnerabilities, its nature, possible consequences and methods of protection.

Description of the vulnerability

Recently, a vulnerability was discovered in xz Utils due to incorrect processing of input data. The vulnerability is classified as a buffer overflow, which can lead to the execution of arbitrary code. The problem occurs when processing specially crafted files, which can cause a buffer overflow in the decompression function.

Technical details

The vulnerability was discovered in the xz_dec_run function, which is responsible for data decompression. A specially crafted file may contain data that exceeds the size of the allocated buffer, resulting in data being written beyond its limits. This could be used by an attacker to execute arbitrary code on the target system.

Example of vulnerable code:

c
void xz_dec_run(xz_dec s, const uint8_t in, size_t in_size) {
// … код …
if (in_size > s->buffer_size) {
// Переполнение буфера
memcpy(s->buffer, in, in_size);
}
// … код …
}

Consequences

Exploitation of this vulnerability could have serious consequences, including:

  1. Arbitrary code execution: An attacker could execute arbitrary code on the target system, which could lead to system compromise.
  2. Denial of Service (DoS): A buffer overflow can cause the application to crash, resulting in a denial of service.
  3. Privilege escalation: In some cases, the vulnerability can be used to gain higher privileges on the system.

Protection methods

To protect against this vulnerability, it is recommended:

  1. Software update: Make sure you are using the latest version of xz Utils, which has fixed this vulnerability.
  2. Use protection mechanisms: Enable protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), which may make it more difficult to exploit the vulnerability.
  3. Input data analysis: Use additional checks and validation of input data before processing it.

In March 2024, a serious vulnerability was discovered in the xz Utils package, which was implemented using a supply chain attack. This backdoor vulnerability was introduced by attackers who spent two years ingratiating themselves with the open source community to gain maintainer rights and inject malicious code. In this article, we will look at the details of this attack, its consequences and the measures taken to eliminate the threat.

Attack history

Infiltration of attackers

To carry out the attack, it took the attackers two years to gain the trust of the community and gain maintainer rights. In May 2022, user Dennis Ens complained about slow responses from xz Utils developers. In response, maintainer Lasse Collin admitted that he had many unanswered messages and that new features were not being actively developed. At this time, Jia Tan, who registered an account on GitHub in 2021, began to actively participate in the project, suggesting patches and changes.

Backdoor Injection

Jia Tang’s first commit was accepted in June 2022, and he continued to make changes to the project over the following months. In January 2023, the first merge commit from Jia was accepted, and in March of the same year, the project’s contact email address was changed to jiat0218@gmail.com. In July 2023, Jia Tang began actively working on third-party repositories, and in February 2024, he added the finishing touches to the backdoor.

Vulnerability detection

Sshd slowdown

The vulnerability was not discovered by a security lab, but by Microsoft PostgreSQL developer Andres Freund, who noticed a slowdown in his computer. Freund noticed the unusually high CPU load from sshd, which led him to conduct a more detailed analysis. As a result, he discovered that the backdoor was built into the xz or liblzma packages versions 5.6.0 and 5.6.1.

How the backdoor works

The backdoor checks the system architecture and the presence of the glibc library. The payload is activated when a program with process name /usr/sbin/sshd is running. If the attacker’s key signature is incorrect, sshd works normally. The injection mechanism in sshd relies on the sd_notify patch, which is present in Red Hat, Fedora, OpenSUSE and Debian.

Consequences and remedies

Closing the vulnerability

After discovering the vulnerability, the GitHub service banned the accounts of the suspects and blocked access to the xz, xz-java and xz-embedded repositories. Lasse Collin published a report on what happened on the website tukaani.org. The vulnerability has been assigned the ID CVE-2024-3094 and users are advised to downgrade the xz version to 5.4.6 or 5.4.2.

Investigation and conclusions

It is not known for certain who is hiding behind the name Jia Tang. The Singaporean IP address discovered through IRC activity belongs to the Witopia VPN service. The spelling of the name Jia Cheong Tan itself combines different standards of romanization of Chinese names, which indicates a possible pseudonym.

Conclusion

The supply chain attack carried out by xz Utils showed how important vigilance and careful analysis are in open source software development. Despite all the efforts of the attackers, the vulnerability was discovered thanks to a random coincidence and the attentiveness of the developer. This incident highlights the need for increased security and controls in open source projects. Software vulnerabilities such as a buffer overflow in xz Utils could have serious security implications for Bitcoin and Ethereum cryptocurrency wallets. It is important to update software promptly and use additional security mechanisms to minimize risks. We hope that this article will help you better understand the nature of the vulnerability and methods of protecting against it.

Useful information for enthusiasts:

Contact me via Telegram: @ExploitDarlenePRO