The attacker managed to get the xz library liblzma under Debian and RedHat to include a malicious object file: liblzma_la-crc64-fast.o. Now let’s move beyond the compilation and packaging steps and see what the injected code does to victims. At just under 90 Kbytes, the object file is quite large and that’s not the only reason it’s so hard to analyze.
We first address the simple question of under what conditions the code in liblzma_la-crc64-fast.o is actually executed. As described in the previous section, the backdoor manipulates the source code files crc64_fast.c and crc32_fast.c in the src/liblzma/check/ directory during package build. In particular, it fits into the functions crc64_resolve() And crc32_resolve() so that when you call it, the function eventually gets called _get_cpuid() It is done through the back door.
GitLab Duo Enterprise: The new AI partner for development teamsBoth …resolve()As the name suggests, the functions are ifunc resolvers. With “GNU indirect functions” (ifunc), developers can dynamically decide which code a function should use. This allows, for example, to distribute highly optimized code: developers can program particularly performance-relevant functions in different versions for different processor architectures. The dynamic linker then allows the program to do this using the ifunc resolver at runtimeChoosing the implementation that best suits the current system.
This was a reading sample of our Heise Plus article “Analysis of the XZ Backdoor, Part 4”. With a Heise Plus subscription you can read and listen to the full article.
TCL introduces 50 PRO Nxtraper 5G, 50 Nxtraper 5G smartphones and Nxtraper 14 tablet
