[kwlug-disc] Fw: Backdoor found in widely used Linux utility
Mikalai Birukou
mb at 3nsoft.com
Mon Apr 1 13:48:24 EDT 2024
> Here is a very readable detailed breakdown of how obfuscated shell
> scripting was used in this exploit.
>
> Very clever, very opaque, and effective.
>
> The committer of these files took a few years to lay the groundwork
> for his exploit (2021 to 2024, most likely by gaining trust first).
>
> One tends to think this is funded by (or will be sold to) a state
> actor or organized crime ...
>
> https://gynvael.coldwind.pl/?id=782
Yes. Let's look at stage 2, point 3. We are looking at 20 or so
characters line, and a paragraph that describes what it does.
On one hand, it reminds of Rothko's painting that is visually short, and
someone nearby can describe for hours what this is. This is an art.
Very, very beautiful, I guess.
On another hand, I don't want any of this cleverness near my build
processes. Yet, we are talking about patch in a new version, that
doesn't really fall out of previous version stylistic. It seems that
clever code is all over the place. This stylistic allows for
obfuscation. Sooner or later someone will come to exploit it, while the
clever guy who started such stylistic won't have cognitive
resources/time to note bad input. Voila!
Side note:
May be it all started in console era, when your prompt was *the only*
way to give anything to machine. Short pipe notation arrives shortly
after. ... ehh, can some one help me with my own scripts now? :)
Practical note:
"You should be this tall to write C++" said sign at Mozilla.
More specifically, we need a sign at a lower height sign saying "I
should be this short and still capable to read your code, before it gets
merged." This doesn't mean, though, that "I love you" should be spelled
in hundred pages -- coding is art, but it isn't human poetry.
May be, if a particular cleverness level is hit, one must have tests and
user stories for that little function that runs in a build pipeline.
Allow cleverness, but make clever guy to put all sorts of fences around
it. May be.
More information about the kwlug-disc
mailing list