On 2024-04-01 23:59, Gordon Messmer wrote:
On 2024-03-30 13:18, Gordon Messmer wrote:
> The write up describing the back door indicates that the malicious xz
> library "changes the value of RSA_public_decrypt@....plt to point to
> its own code." So the back door has pointed one of the symbols that
> should point to a page mapped to OpenSSL's libcrypto.so.3 to a page
> mapped to liblzma.so.5, instead.
>
> Would it be possible to audit the value of a process's symbols at
> runtime to look for this kind of shenanigans? Could this type of
> auditing be added to functional tests or rpminspect?
As a proof of concept, I extended GEF a tiny bit:
https://github.com/gordonmessmer/gef
I spent a little more time extending GEF further, as a new "got-audit"
command. The command will report an error if two or more libraries
appear to export conflicting symbols. It will also report an error if a
symbol in the GOT points to a shared object that doesn't appear to
export that symbol. For all symbols in the GOT, it reports a mapping
between the symbol and the path where that symbol is mapped.
I'll work on a functional test for the openssh package. I think the
naive approach is to simply record the known-good output of the audit in
a file in the test's directory, run the "got-audit" command, and compare
the two files. Any difference is an error.
I haven't started on that yet, but the "port-forward" test seems fairly
small and simple, so I'll try writing something similar, unless anyone
has suggestions otherwise.