On 2024-04-01 23:59, Gordon Messmer wrote:
On 2024-03-30 13:18, Gordon Messmer wrote:
The write up describing the back door indicates that the malicious xz
library "changes the value of RSA_public_decrypt@xxxxxxx to point to
its own code." So the back door has pointed one of the symbols that
should point to a page mapped to OpenSSL's libcrypto.so.3 to a page
mapped to liblzma.so.5, instead.
Would it be possible to audit the value of a process's symbols at
runtime to look for this kind of shenanigans? Could this type of
auditing be added to functional tests or rpminspect?
As a proof of concept, I extended GEF a tiny bit:
https://github.com/gordonmessmer/gef
I spent a little more time extending GEF further, as a new "got-audit"
command. The command will report an error if two or more libraries
appear to export conflicting symbols. It will also report an error if a
symbol in the GOT points to a shared object that doesn't appear to
export that symbol. For all symbols in the GOT, it reports a mapping
between the symbol and the path where that symbol is mapped.
I'll work on a functional test for the openssh package. I think the
naive approach is to simply record the known-good output of the audit in
a file in the test's directory, run the "got-audit" command, and compare
the two files. Any difference is an error.
I haven't started on that yet, but the "port-forward" test seems fairly
small and simple, so I'll try writing something similar, unless anyone
has suggestions otherwise.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
