|
|
|
|
|
|
by pxx
811 days ago
|
|
|
Huh, I had erroneously thought the exploit string was sent earlier in the connection, before the handshaking completed (note the "handshake failed" error in xzbot on successful exploit, and also the fact that no logging is done). But you're right: we've verified the hostkey by the time we send the special certificate. So there's no way to effectively replay this without access to the server keys. My original comment is incorrect. I'm actually surprised there's no logging at INFO or higher after this succeeds, given that openssh typically logs preauth connection closes. But I guess the crutch is that we never log connection opens and we only really log failures in handshaking, and it's not like the backdoor is going to go out of its way to log the fact that it opened itself... |
|
|