21 comments

[ 3.2 ms ] story [ 54.7 ms ] thread
Nice try, Jia Tan.
(comment deleted)
So DPRK, Russia, or China, right? The USA and any country affiliated with it can just seize servers.
Well the more likely reason for that is that the exploit doesn't work if you have the LANG env var set. The US is the primary place where it wouldn't be set and hence where the malware would be active.
Does sshd normally run with any LANG env set when it’s run as a daemon?
Does that mean setting a Lang environment variable is a mitigation?
My understanding was the opposite. Two examples I found where backdoor is working are:

  env -i LANG=en_US.UTF-8 /usr/sbin/sshd -D
  env -i LANG=C /usr/sbin/sshd -h
Commits had a UTC +8 timestamp, so most likely China or possibly Russia unless Australia or Taiwan decided to do something really weird. Probably not DPRK.
People thinking like you still astonishes me. We are talking about someone who is able to build a backdoor like this, and be so careless of:

- using a name that reveals their nationality?

- commiting at a timezone that reveals where are they located?

Please. We have no idea who's behind this. The only legitimate question is (as usual): who benefits from this? Answer: any government on earth (most likely: USA, China, Russia, etc.)

If an attacker is so smart and patient to pull of a sneaky supply chain attack like this, I'd say he/she/they must have been quite carefully choosing the moniker and hide/obfuscate other potentially identity revealing information (afaik, there is no reliable identity information found at the moment). So by choosing a very typical Chinese name (Jia Tan), I believe this is intentially misleading/smearing. I can't believe a smart ass (potenially a state actor) would be so stupid to use his/her/their actual nationality or other information.
You can also just set TERM or any of about a dozen other env vars.
I believe that is just to disable the inclusion of the payload, the given env variable will disable the payload when it is live.
It prevents registration of the dl-audit hook, very early on. So no redirection of RSA_public_decrypt occurs.
good point; i don't want to be sensational, so i updated the headline
It should go without saying: don't rely on this.

You probably don't have 100% certainty that the RCE hasn't already dropped a secondary payload.

But do you need to also possess the trusted privkey? I wonder why the attacker would build an unauthenticated kill switch.
it's for convenience. if you are aware of the necessity of the kill switch then you can just replace the offending package.
It does not appear you need the secret key to use the kill switch.