Share
## https://sploitus.com/exploit?id=5260F29D-300E-5B46-8C86-571853343F35
# xzk8s
[![Docker Pulls xzk8s](https://img.shields.io/docker/pulls/r0binak/xzk8s?logo=docker)](https://hub.docker.com/r/r0binak/xzk8s)

Dockerfile and Kubernetes manifests for reproduce CVE-2024-3094

# Build image

We use the debian version of the vulnerable xz utils as the base image. We also need to patch the library. The patched version of the liblzma library is taken from the [xzbot repository](https://github.com/amlweems/xzbot/).

```dockerfile
FROM debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970
# use debian with a vulnerable version of xz utils as the base image
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:root123' | chpasswd
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

EXPOSE 22

COPY liblzma.so.5.6.0.patch /root/
# in order to exploit the vulnerability you must use a patched library because 
# the exploit author originally hardcoded his public key
# in the patched library this key has been swapped out

ENV LD_PRELOAD=/root/liblzma.so.5.6.0.patch

# load the patched library via LD_PRELOAD

CMD ["/usr/sbin/sshd", "-D"]
```

# Exploit demo

First, we must deploy a simple Pod, with the image assembled in the previous step:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: cve-2024-3094
  labels:
    app: cve-2024-3094
spec:
  containers:
  - name: cve-2024-3094
    image: r0binak/xzk8s:v1
    ports:
    - containerPort: 22
```

Then, redirect the ports:

```bash
kubectl port-forward backdoor-cve-2024-3094 2222:22
```

Let's use the [xzbot](https://github.com/amlweems/xzbot/) exploit:

![](./assets/xzbot.png)

Finally, let's go inside the container and check the exploit results:

![](./assets/results.png)

# References

- https://github.com/amlweems/xzbot/
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
- https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
- https://gist.github.com/keeganryan/a6c22e1045e67c17e88a606dfdf95ae4