I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Hey all!
I'm an experienced open source strategist/TPM/leader/advocate with extensive experience in everything from policy to automation to research.
Looking for a place where I can build out an open source programs office or act as a strategic advisor!
https://www.linkedin.com/in/juliaferraioli