Threat Analysis

On April 9, 2024, GitHub user blasty, known as @bl4sty on X (previously Twitter), released JiaTansSSHAgent, an SSH agent tool that mimics some functions of the XZ Utils backdoor. This backdoor arose from the insertion of malicious code by Jia Tan into the XZ Utils versions 5.6.0 and 5.6.1, specifically in the “liblzma” library, granting unauthorized SSH access to compromised Linux systems. This incident has been cataloged as CVE-2024-3094.

Blasty describes JiaTansSSHAgent as a practical implementation of their Paramiko-based script. Paramiko is a Python library designed for secure SSH connections and server communications. Blasty pointed out that JiaTansSSHAgent enables attackers to engage in malicious activities through both standard and custom SSH agents, including the ability to override certain security settings like PermitRootLogin. The tool is compatible with standard OpenSSH clients, requiring the removal of a specific line of code.

The setup for JiaTansSSHAgent involves specifying command-line paths for both the Unix domain socket and the Ed448 private key file. This setup is crucial for the agent's cryptographic functions. Once configured, it listens for SSH agent requests, processing each based on its type. For identity requests (SSH_AGENTC_REQUEST_IDENTITIES), it generates keys that bypass passwords and returns these keys in its response. When handling extension requests (SSH_AGENTC_EXTENSION), it retrieves host key details, sets up a session ID, and responds affirmatively. Unsupported request types trigger a failure response. To ensure secure and effective communication, JiaTansSSHAgent employs ChaCha20 and Ed448 for encryption and signing, respectively. It operates continuously, processing requests until it is terminated or encounters an error.

Reference

https://github.com/blasty/JiaTansSSHAgent