XZ Gon' Give It To Ya

Last Friday the internet was rocked with the discovery of an exploit in xz-utils that was not only well-put-together technically, but also an example of extremely effective long game social engineering. I could share my opinions, but the takes I’ve seen have actually been fairly nuanced and thoughtful, if (justifiably!) pessimistic, from people with more experience and more familiarity than I have.

So instead I did this. Which, if you recognize the title, is exactly what you think it is. Listen along to the original here, or if you’re around my age you may enjoy this variation.

Yeah, uh, yeah, yeah, uh
Yeah, don’t get it twisted
This exploit is mine, motherfucker
It’s not a fuckin’ game
Fuck what you heard
It’s what you hearin’ (It’s what you hearin’)
It’s what you hearin’ (Listen)
It’s what you hearin’ (Listen)
It’s what you hearin’ (Listen)

[Verse 1]
XZ gon’ give it to ya (What?)
Fuck waitin’ for you to get it on your own, XZ 5.6 to ya
Knock-knock, update your dependencies
Load liblzma so we can do what we please
Go hard, gettin’ busy with it
But I got such a good record I’ll make a lib maintainer wonder if he did it
Damn right, and I’ll do it again
’Cause no policy’s stoppin me from gettin back in
Gain cred with the enemy
No matter how many checks you set up, I’ll break ’em with a simple tweak
You motherfuckers never wanted nothin’ but your lib for free
It wasn’t all sock puppetry
I’m gettin’ in (In) with the magic word “Please”
And bringing all your systems to their knees
Your SSHDs, (Come on) if the only thing you cats did
Was take my tgz, that’s plenty for me, maintainer

First, we gonna HELP, then we gonna HACK
Then we put it out, let it compromise your stack
XZ gon’ give it to ya, we gon’ give it to ya
XZ gon’ give it to ya, we gon’ give it to ya

[Chorus (again)]

[Verse 2]
I ain’t tellin what they gave to me
But you know it’s all because cats got they hands out wantin’ somethin’ free
Turn off the sandbox, compilation error
Hide in the diff as a single stray character
Let’s turn off the fuzzing
A legitimate conflict but now I corrupt what was in
You against me, me against you
Whatever I want, I’m stealthy, get past code review

I’m a wolf in sheep’s clothin’
Hide my payload in the tests, no one suspects, come back on build and crack it open
Filter out the noise, look around for patches
Can’t get too suspicious in case somebody’s asking
But of any project, of all repositories
A compression lib’s tests, they gonna have binaries
They don’t know who we be, lookin’
But they don’t know who they see, maintainer

[Chorus x2]

[Verse 3]
Ayo, where my SSH at?
libservice, libpam, they gonna load me and it’s time to crack
IFUNC intercept, send my key
RSA verify, RCE
Love to the distros that run it
Shout out to repos that done it
And I would have gotten away with it too
If SSH perf hadn’t slipped by a notch, or two

[Chorus x3]