Simple SSH Agent that implements some of the XZ sshd backdoor functionality.
For those who want to more easily explore the backdoor using a typical SSH client.
- Patch your liblzma.so with a custom ed448 public key
- Patch your SSH client to skip verification of the certificate:
- Look for this section in openssh's
sshkey.c
and commment it out:
if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) { goto out; }
- Look for this section in openssh's
python3 agent.py /tmp/agent ./privkey.bin
SSH_AUTH_SOCK=/tmp/agent ./ssh root@localhost
- log in with any password :)
-- blasty <peter@haxx.in>