POC详情: 2ce0788434c3c9b4d54fc823dac92e0bd1d63508

来源
关联漏洞
标题: xz 安全漏洞 (CVE-2024-3094)
描述:xz是一个应用软件。用于支持读取和写入xz压缩流。 XZ Utils 5.6.0版本和5.6.1版本存在安全漏洞,该漏洞源于允许攻击者嵌入恶意代码。
描述
This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.
介绍
# CVE-2024-3094 xz Check Script

This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of the "xz" utility, as specified by CVE-2024-3094.

See the description and impact statement below from information available via RedHat https://access.redhat.com/security/cve/CVE-2024-3094:

"_Malicious code was identified in the upstream tarballs of "xz" starting from version 5.6.0. This code involves a complex method where the build process of liblzma extracts a prebuilt object file from a disguised test file within the source code. This file is then utilized to alter specific functions within the liblzma code, leading to a compromised liblzma library. Any software linked against this modified library may intercept and alter data interactions with the library, potentially exposing systems to security risks._

_The investigation to date reveals that the impacted packages are confined to Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No Red Hat Enterprise Linux (RHEL) versions are affected by this issue._

_The vulnerability stems from malicious injection found in xz versions 5.6.0 and 5.6.1, specifically within the tarball download package. The Git distribution does not include the M4 macro responsible for triggering the build of the malicious code. However, the Git repository does contain second-stage artifacts intended for injection during build time if the malicious M4 macro is present. Absent integration into the build, these 2nd-stage files are harmless. Demonstrations of the vulnerability revealed interference with the OpenSSH daemon, which, while not directly linked to the liblzma library, interacts with systemd in a manner that makes it susceptible to the malware, given systemd's linkage to liblzma._"

## Background Information on [About the xz backdoor - https://kali.org blog article](https://www.kali.org/blog/about-the-xz-backdoor/)

_"The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely._

_With a library this widely used, the severity of this vulnerability poses a threat to the entire Linux ecosystem. Luckily, this issue was caught quickly so the impact was significantly less than it could have been. It has already been patched in Debian, and therefore, Kali Linux._

_The impact of this vulnerability affected Kali between March 26th to March 29th, during which time xz-utils 5.6.0-0.2 was available. If you updated your Kali installation on or after March 26th, but before March 29th, it is crucial to apply the latest updates today to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability."_

## Verification Script

The following Bash script and one-liner command can be used to check if your system is affected by CVE-2024-3094:

```bash
command -v xz &>/dev/null && xz_version=$(xz --version | head -n 1 | awk '{print $4}') && { [[ $xz_version == "5.6.0" || $xz_version == "5.6.1" ]] && echo -e "\n[*] This system seems to be VULNERABLE to CVE-2024-3094 since it has a vulnerable version of xz\n\nLearn more about this CVE on this link:\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3094" || echo -e " \n[*] This system DOES NOT SEEM to be vulnerable to CVE-2024-3094."; } || echo "[-] xz package is not installed."
```

### Verification suggested by [About the xz backdoor - https://kali.org blog article](https://www.kali.org/blog/about-the-xz-backdoor/)

How to check manually for an affected Kali Linux version?

"apt-cache policy liblzma5"

```Bash
kali@kali:~$ apt-cache policy liblzma5  
liblzma5:  
 Installed: 5.4.5-0.3  
 Candidate: 5.6.1+really5.4.5-1  
 Version table:  
    5.6.1+really5.4.5-1 500  
       500 http://kali.download/kali kali-rolling/main amd64 Packages  
*** 5.4.5-0.3 100  
       100 /var/lib/dpkg/status
```

If we see the version "5.6.0-0.2" next to Installed: then we must upgrade to the latest version, "5.6.1+really5.4.5-1". We can do this with the following commands:

Command for addressing the issue with the vulnerable package in Kali Linux:

"sudo apt update && sudo apt install -y --only-upgrade liblzma5"
文件快照

[4.0K] /data/pocs/2ce0788434c3c9b4d54fc823dac92e0bd1d63508 ├── [1.2K] CVE-2024-3094_check.sh ├── [1.2K] LICENSE └── [4.3K] README.md 0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。