/CVE-2024-3094-backdoor-env-container

This is a container environment running CVE-2024-3094 sshd backdoor instance, working with https://github.com/amlweems/xzbot project. IT IS NOT Docker, just implemented by chroot.

Primary LanguageShellGNU General Public License v2.0GPL-2.0

CVE-2024-3094 SSH Backdoor Container Env

This is an environment running CVE-2024-3094 sshd backdoor instance, working with this exploit: https://github.com/amlweems/xzbot.

Experiments

Test in Docker

IT IS NOT a Docker container. I had tried making this vulnerability env with docker but failed:

  1. https://github.com/lockness-Ko/xz-vulnerable-honeypot: xzbot not working inside it.
  2. manually build docker image's filesystem from scratch with the dependence totally same as which have been successfully exploited with xzbot on an Ubuntu VM host: xzbot exploit still failed.

I doubt that it was related to systemd, cus all the ways I tried inside docker that spawning SSHD were running from cmdline, not systemd.

Test in Host

Follow up on, I tested with experiment: On the VM machine where sshd(systemd) has been successfully exploited with xzbot, I directly lauched /sbin/sshd -D -e -p 2024 with replaced liblzma.so, and the xzbot exploitation failed, which indicates that it may be highly related to systemd.

Test in Host with systemd

I gave up docker cus it's little complex running sshd from systemd inside docker.

Finally I extracted the minimized file system from my VM, and made it to a mini container based on chroot, which can easily run on host namespace with systemd.

It works both on my VM environment and another environment, which makes xzbot exploitation success.

I haven't figure out the principle, but anyway I organized the environment in this project for research.

Usage

Env Compose

./compose.sh at root dir of this project.

Env Remove

./remove.sh at root dir of this project.

Exploit

./xzbot -addr 127.0.0.1:2024 -cmd 'whoami > /hello', and you can see file named hello below env_fs if exploit successful.

Other Statement

How is the Exploitation

https://github.com/amlweems/xzbot provides a nice tool, and it patched the liblzma.so with own pubkey, making it accessible. Turn to xzbot project for details.

Our mini file system contains the default patched lzma so file of xzbot. And a xzbot executable binary was compiled staticlly here. You can just ./xzbot -addr 127.0.0.1:2024 -cmd 'whoami > /hello' for testing.

How it works

A systemd xzback.service file will be dynamically deployed to /etc/systemd/system/ on your host.

And xzback.service will starts with chroot to our mini file system, with no more influence on host file system.