Hi ! I want to demo the backdoor usage and would like to install a unstable/test version of a distribution (possibly Debian or Fedora) that had the backdoor (v5.6.0 or 5.6.1 of xz/liblzma and patched openssh for systemd notification)

How could I do that?

I will be using xzbot from amlweems to further patch liblzma but I want a distro that has openssh run by systemd that links to the correct liblzma version

Thank you!

  • emidioOP
    link
    fedilink
    arrow-up
    7
    ·
    edit-2
    8 months ago

    Oh thank you so much for these instructions I’ll go through them on my computer.

    I indeed wanted to know if the versions were still downloadable anywhere but if you can still install the correct liblzma version on any version of the distribution that works. I tried on a Debian VM on mac but with too little knowledge and it never run the correct liblzma

    xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

    • Arthur Besse@lemmy.mlM
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      8 months ago

      xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

      Fun :)

      Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).