Talk

Don’t let Jia Tan have all the fun: hacking into Fedora and OpenSUSE

, 14:30 (CAMPUS)

Coverage about supply chain attacks tends to focus on typosquatting issues, fueled by the marketing of security vendors and their FUD. More recently, “Jia Tan” pushed the limits of psychological abuse over two years to become maintainer of xz, enabling them to plant a sophisticated backdoor in the project. These are just isolated incidents on specific packages–yet with the potential to compromise a significant number of users. But what does it take to compromise a whole Linux distribution?

In this talk, we share a much less documented class of attack: the compromise of the infrastructure of open-source projects with fresh 0-days, based on the research that led us finding critical issues in the build systems of Fedora, OpenSUSE and all their downstream distributions like CentOS. After coming back on examples of such attacks in recent history, we dive into Pagure and Open Build Service, two custom applications deployed on their infrastructure. Let’s see where some old-school bugs will lead us!

Speaker

Thomas Chauchefoin

Thomas Chauchefoin (@swapgs@infosec.exchange) is a Principal Application Security Engineer at Bentley Systems. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in all kinds of software. He also participated in competitions like Pwn2Own or Hack-a-Sat, and was nominated to Pwnies Awards for his research on the PHP supply chain security.

Maxime Rinaudo

Maxime (@MaxRio13) is the co-founder of Fenrisk (@FenriskSec) and one of its security experts. He began his career as a C/C++ developer before seizing the opportunity to give his career a new direction. He transitioned into cybersecurity, with a particular focus on web security and the UNIX ecosystem. During his penetration tester experience he met Julien Szlamowicz with whom he founded Fenrisk, a company specializing in offensive cybersecurity expertise.