Yesterday, Andres Freund alerted the community about a backdoor found in xz/liblzma affecting OpenSSH server, highlighting the effort put into discovering and investigating this issue. The obfuscated binary with the backdoor is intriguing, but the focus here is on the clever obfuscation methods in the initial bash stages. Two versions of xz/liblzma (5.6.0 and 5.6.1) are affected, with differences between them. The bash part is segmented into three (maybe four) stages, where the code in the m4/build-to-host.m4 file initiates the extraction process. The process involves character substitutions and decompression steps leading to the execution of subsequent stages. Stage 1 and Stage 2 continue the complex obfuscation patterns, with intricate processes for extraction and execution. This in-depth analysis provides insights into the meticulous obfuscation techniques used in this backdoor discovery.
https://gynvael.coldwind.pl/?lang=en&id=782