Xz-utils backdoor detect.sh

xz 5.6 ve 5.6.1 paketleri sistemlerinizde yüklü ise tespit etmek için aşağıdaki örnek script kullanılabilir,

set -eu

echo "Checking system for CVE-2024-3094 Vulnerability..."
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"

# find path to liblzma used by sshd
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
sshd_path=$(whereis -b sshd | awk '{print $2}')
path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1)

if [ -z "$path" ]; then
    echo
    echo "Probably not vulnerable (liblzma not found)"
    exit
fi

# check for function signature
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
echo
echo "Checking for function signature in liblzma..."
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
    echo "Function signature in liblzma: VULNERABLE"
else
    echo "Function signature in liblzma: OK"
fi

# check xz version
echo
echo "Checking xz version..."
xz_version=$(xz --version | head -n1 | awk '{print $4}')
if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then
    echo "xz version $xz_version: VULNERABLE"
else
    echo "xz version $xz_version: OK"
fi
9 Likes

Hocam scripti çalıştırdım Probably not vulnarable (libizma not fount) yazıyor. Sanırım açık yok

Ansible ile toplu bir şekilde bakmak isteyenler olabilir. Taskı aşağıya bırakıyorum. Çıktıyı consol olarak verir.

cve-2024-3094.yml

- hosts: all
  tasks:
  - name: Run CVE-2024-3094 vulnerability check script
    shell: |
      set -eu

      echo "Checking system for CVE-2024-3094 Vulnerability..."
      echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"

      # find path to liblzma used by sshd
      # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
      sshd_path=$(whereis -b sshd | awk '{print $2}')
      path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1)

      if [ -z "$path" ]; then
          echo
          echo "Probably not vulnerable (liblzma not found)"
          exit
      fi

      # check for function signature
      # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
      echo
      echo "Checking for function signature in liblzma..."
      if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
          echo "Function signature in liblzma: VULNERABLE"
      else
          echo "Function signature in liblzma: OK"
      fi

      # check xz version
      echo
      echo "Checking xz version..."
      xz_version=$(xz --version | head -n1 | awk '{print $4}')
      if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then
          echo "xz version $xz_version: VULNERABLE"
      else
          echo "xz version $xz_version: OK"
      fi
    register: script_output

  - debug:
      var: script_output.stdout_lines

Kullanım

ansible-playbook cve-2024-3094.yml -i inventory --private-key ~/.ssh/servers 
4 Likes

herhangi bir sıkıntı görülmüyor.

2 Likes