On 2024-03-30 13:18, Gordon Messmer wrote:
The write up describing the back door indicates that the malicious xz
library "changes the value of RSA_public_decrypt@xxxxxxx to point to
its own code." So the back door has pointed one of the symbols that
should point to a page mapped to OpenSSL's libcrypto.so.3 to a page
mapped to liblzma.so.5, instead.
Would it be possible to audit the value of a process's symbols at
runtime to look for this kind of shenanigans? Could this type of
auditing be added to functional tests or rpminspect?
As a proof of concept, I extended GEF a tiny bit:
https://github.com/gordonmessmer/gef
Now gdb can print the GOT with the paths providing the memory section
containing a function. For example, on a Debian 12 system with liblzma 5.6:
---
got RSA
GOT protection: Full RelRO | GOT functions: 463
[0x555957c780f8] RSA_set0_key@OPENSSL_3.0.0 → 0x7f7bce676c90 :
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
[0x555957c78218] RSA_public_decrypt@OPENSSL_3.0.0 → 0x7f7bce948510 :
/usr/lib/x86_64-linux-gnu/liblzma.so.5
[0x555957c782a8] EVP_PKEY_set1_RSA@OPENSSL_3.0.0 → 0x7f7bce618f30 :
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
...
---
If the full table were collected and logged in functional testing, and
compared from build to build, this seems like it could detect this class
of attack. RSA_public_decrypt has clearly moved from libcrypto.so.3 to
liblzma.so.5.
Is this worth pursuing?
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
