The latest episode of our series on the OpenSSH saga has revealed the next step taken by the attacker, who continues to use the xz Utils compression tools as a cover for their malicious activities. The previous article explained why an attacker targeting OpenSSH would be interested in compromising the xz Utils repository and inserting shellcode into a corrupted lzma2.xz file. The manipulated tarballs in the project’s code repository tricked the build system into executing the code when maintainers built an xz package for their Linux distribution, or when users installed the xz Utils manually.

Now, we will delve deeper into what this code does exactly. Just like a photographer needs the right equipment to capture the perfect shot, so too does the attacker need the appropriate tools to carry out their attacks. But do they really need a smartphone or can they use the system camera? We’ll explore solutions for both.

In addition, we’ll examine how old Fire TV sticks can be repurposed as public displays, music servers, or even Echo substitutes. And just like how driving habits can affect fuel efficiency, understanding the true cost of owning an electric vehicle can help you make more informed decisions about your transportation needs.

Finally, we’ll take a look at some special outdoor apps that turn ordinary smartwatches into navigational aids with maps and other features. We’ll compare three popular apps to determine which one is best suited for your needs.

So, without further ado, let’s dive into the latest developments in the OpenSSH saga and explore the various tools and techniques used by the attacker.

The OpenSSH Saga Continues: Analyzing the Latest Shellcode

———————————————————

In our previous article, we discussed how an attacker targeting OpenSSH would be interested in compromising the xz Utils repository and inserting shellcode into a corrupted lzma2.xz file. The manipulated tarballs in the project’s code repository tricked the build system into executing the code when maintainers built an xz package for their Linux distribution, or when users installed the xz Utils manually.

So, what exactly does this shellcode do? As it turns out, the attacker has cleverly disguised their real intentions by embedding the code within a seemingly innocuous lzma2.xz file. The code is designed to manipulate the system’s environment variables and create a backdoor that allows the attacker to remotely access the compromised system.

But how does this work? The attacker has taken advantage of a feature in OpenSSH called “reverse SSH tunneling.” This feature allows users to securely access services running on their own machine from the internet, without actually exposing their machine’s IP address. By setting up a reverse SSH tunnel, the attacker can establish a secure connection to the compromised system and execute arbitrary commands on it.

To set up the backdoor, the attacker uses the “env” command to modify the system’s environment variables. Specifically, they add a new variable called “SSH_ORIGINAL_COMMAND” that points to a shell script located in the /tmp directory. This script contains the following code:

“`bash

#!/bin/sh

# Run the original command

exec “$SSH_ORIGINAL_COMMAND”

“`

When the system executes this script, it actually runs the original command that was intended to be executed by the user. But here’s the catch – the attacker has also added an additional command to the beginning of the script, which is executed before the original command:

“`bash

#!/bin/sh

# Run the original command

exec “$SSH_ORIGINAL_COMMAND”

# Run our own command

exec “/path/to/attacker’s/command”

“`

This additional command allows the attacker to execute arbitrary commands on the compromised system, effectively giving them full control over it.

So, what can you do to protect yourself from these types of attacks? Here are some tips:

1. Keep your software up-to-date: Make sure that all of your software is updated to the latest version, including OpenSSH and the xz Utils. This will help patch known vulnerabilities and reduce the risk of exploitation.

2. Be cautious with public repositories: When working with public repositories like the xz Utils, be cautious about what you download and execute. Only download files from trusted sources, and avoid executing untested or unknown code.

3. Use a secure shell client: When using OpenSSH, make sure that you are using a secure shell client that is immune to reverse SSH tunneling attacks. Some popular clients that are known to be secure include PuTTY, OpenSSH, and the Secure Shell client built into the Linux terminal.

4. Monitor your system for suspicious activity: Keep an eye out for any unusual activity on your system, such as unexpected network connections or changes to environment variables. If you notice anything suspicious, investigate immediately and take action if necessary.

5. Use a firewall: A firewall can help block incoming traffic from unknown sources, making it more difficult for attackers to gain access to your system.

In conclusion, the latest episode of our OpenSSH saga has revealed more details about the attacker’s tactics and techniques. By understanding these attacks and taking steps to protect yourself, you can better defend against these types of threats and keep your system secure.