POC详情: 36ae6035781689f344d801e7d88e21033fd4b4c0

来源
https://github.com/mightysai1997/CVE-2024-3094
关联漏洞
标题: xz 安全漏洞 (CVE-2024-3094)
描述:xz是一个应用软件。用于支持读取和写入xz压缩流。 XZ Utils 5.6.0版本和5.6.1版本存在安全漏洞,该漏洞源于允许攻击者嵌入恶意代码。
介绍
# CVE-2024-3094
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.  
This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. This Repository contains two quick scripts in order to check your Kubernetes Pods and Docker Containers against the vulnerable very recent version of liblzma5 - 5.6.0 or 5.6.1.  
  
Credits towards https://www.openwall.com/lists/oss-security/2024/03/29/4 for the detection-script I used as a base.  
  
For more details please check:  
https://nvd.nist.gov/vuln/detail/CVE-2024-3094  
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27  
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/  
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/  
  
## Testing  
If you are looking for an actual vulnerable container for testing:  
https://hub.docker.com/layers/library/debian/experimental-20240311/images/sha256-81992d9d8eb99b5cde98ba557a38a171e047b222a767dc7ec0ffe0a194b1c469?context=explore  
  
Create an SBOM with Trivy:  
``trivy image --format cyclonedx --output result.json debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970``  
  
Check for liblzma5:
``cat result.json | grep liblzma5
      "bom-ref": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
      "name": "liblzma5",
      "purl": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
          "value": "liblzma5@5.6.0-0.2"
        "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
        "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
      "ref": "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
        "pkg:deb/debian/liblzma5@5.6.0-0.2?arch=amd64&distro=debian-trixie%2Fsid",
sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970``  

## Disclaimer  
Using manual scripts to check for vulnerabilities across containers, while informative, is not optimal and lacks the scalability, thoroughness, and real-time monitoring capabilities of a comprehensive Cloud Native Application Protection Platform (CNAPP) such as Falco.  
CNAPPs offer automated, continuous security assessment and policy enforcement across your cloud-native stack, ensuring more robust security posture management with minimal manual intervention.
文件快照

 [4.0K]  /data/pocs/36ae6035781689f344d801e7d88e21033fd4b4c0
├── [ 574]  check_docker.sh
├── [2.4K]  check_k8s.sh
├── [ 975]  check_sbom.sh
├── [2.7K]  README.md
└── [ 264]  test-pod.yaml

0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。