Email or username:

Password:

Forgot your password?
q3k's posts Post Back to profile
Top-level
cesarb

@q3k I just did a quick look at the openssh-portable source code, and many of these strings (including the "xcalloc: zero size" one, which does not make much sense for a backdoor code) can be found there. So my guess is that there's a good chance that a lot of the code you'll find is just the openssh code, the hard part would be to find what has been changed in it.

30 March at 14:23 | Wall-to-wall | Open on fosstodon.org
2 comments
q3k :blobcatcoffee:

@cesarb I think it might be something like looking for functions which call some symbols, or looking for function calls with debug statements. We're pretty sure somewhere in there is a small x86_64 disassembler :). All of this to be able to patch different versions of openssh.

30 March at 14:45 | Open on social.hackerspace.pl
drone

@q3k @cesarb I think this is right. We confirmed it hooks additional functions (RSA_get0_key), and we speculate its modifying logs as well (check out what it's doing around the "Accepted password for" strings)

30 March at 16:15 | Open on infosec.exchange
Go Up