user avatar
ruby nealon
@_ruby
hacker girly. πŸ‡―πŸ‡΅
東京都
ruby.sh
Joined April 2015
535
Following
2,406
Followers
  • Pinned
    user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    The setup behind the CVE-2024-3094 supply-chain attack is fascinating. I originally wanted to finish and share a tool to audit other OSS projects for anomalous contributor behavior, but I feel what I found trying to MVP it is way more interesting. 🧡 1/25 gist.github.com/rubyroobs/77cc…
    diff of running strings on an existing test fixture in the xz project and the one containing the injected code added by the attacker
    356K
  • user avatar
    ruby nealon
    @_ruby
    Feb 25, 2017
    when someone submits a video without a poc
    00:00
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    25/25 It feels very lucky that it was discovered at the stage it was. I hope with this attack on people's minds, other OSS projects in similar positions consider doing tabletop scenario exercises for this kind of attack and how they can prevent/detect it. Thanks for reading!
    7.8K
  • user avatar
    ruby nealon
    @_ruby
    Aug 25, 2020
    Hope everyone is having a great day except whoever installed the cabling in my apartment building
  • user avatar
    ruby nealon
    @_ruby
    Sep 3, 2021
    Permanent residency in Japan approved πŸ‡―πŸ‡΅
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    23/25 I wonder how many other high-effort "fake identities" are still in the infiltration stage, building trust with maintainers of other quiet or older projects that are a valuable target for attackers but aren't necessarily understood as one.
    7.8K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    24/25 If the injected code was more conservative selecting targets and didn't have a performance impact so significant that someone who (in their own words) "is not a security researcher/engineer" began to investigate, how long could this have gone undetected?
    8.4K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    7/25 I started manually auditing the xz repo. Another surprise was reading the test file README in xz: "Many of the files have been created by hand with a hex editor, thus there is no better "source code" than the files themselves." With hindsight of the test file backdoor... πŸ˜…
    xz project test/files/README .xz and .lzma Test Files ------------------------ 0. Introduction This directory contains bunch of files to test handling of .xz, .lzma (LZMA_Alone), and .lz (lzip) files in decoder implementations. Many of the files have been created by hand with a hex editor, thus there is no better "source code" than the files themselves. All the test files and this README may be distributed under the terms of the BSD Zero Clause License (0BSD).
    13K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    16/25 From 2022 though a focus on xz-utils, even representing it in other projects! In Google's oss-fuzz, they disabled the same compiler feature their backdoor uses to intercept execution. And then changed the primary contact, so any bugs it did manage to find went to them...πŸ€”
    GitHub PR "xz: Disable ifunc to fix Issue 60259" by the author of the backdoor. The change just adds "--disable-ifunc" to the build instructions Google's security fuzzer uses to the build instructions. IFUNC is also the glibc feature used to intercept execution by the backdoor though, so it's a bit hard to believe this is just a coincidence...
    GitHub PR "XZ updates". The backdoor author changes the "primary_contact" email address registered with Google's open source security fuzzer to their own.
    9.2K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    2/25 If you haven't, please read the full @Openwall mailing list disclosure. The first advisory summary a friend shared with me had such a high-level overview that I feel I initially grossly underestimated the level of sophistication of this attack. openwall.com/lists/oss-secu…
    17K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    15/25 The other contributor has authored 76% of commits, incl. the first. So between them, 95% of all commits. But their GH account was created in 2021! Before working on xz, they ... tried to make libarchive auto-download combinations of dependencies that didn't make sense πŸ€”
    Added Dependency downloader script for apt and yum #1595 I found it difficult to collect all of the dependencies when I was trying to build for the first time. To make it easier for everyone else, I figured I could automate this. Let me know if I am missing anything or if this script belongs in a different folder. (description written by the attacker)
    14K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    5/25 Suddenly I had a lot of questions. Why did sshd/OpenSSH load xz-utils if OpenSSH doesn't depend on it? As I understand now, official OpenSSH does not but linux distro packages often patch it to support systemd, which does. (still not 100% - please correct me if I am wrong!)
    20K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    12/25 But as I was running my MVP script in the xz-utils repo, I realized that if this user was a 'fake identity' as suspected, the creator had been anything but lazy. This is by far the most work/time/persistence I've seen go into an attack that anyone can follow chronologically
    9.5K
  • user avatar
    ruby nealon
    @_ruby
    Mar 30, 2024
    Replying to @_ruby
    22/25 At the time of writing they are even still listed as co-maintainer on the sponsoring project's website too. My point isn't to goof on the project, but rather to highlight the level of trust and access they achieved while infiltrating the project. tukaani.org/about.html
    7.3K