CVE-2024-3094 PoC — Xz: malicious code in distributed source

Source

https://github.com/zgimszhd61/cve-2024-3094-detect-tool

Associated Vulnerability

Title:Xz: malicious code in distributed source (CVE-2024-3094)
Description:Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Readme

# CVE-2024-3094（XZ后门）检测器

## 概览

该工具检查本地机器是否同时满足以下两个条件：易受CVE-2024-3094（SSH负载能够运行）的攻击，以及当前受CVE-2024-3094（已安装恶意版本的XZ）的影响。

只有**两个条件都满足**时，机器才可能受CVE-2024-3094的影响。

### 恶意XZ/LZMA检查

该工具检查机器上当前是否安装了恶意版本的`xz`或`liblzma`。该检查是静态进行的，不需要运行`xz`二进制文件。

### 易受攻击的SSH检查

该工具检查当前安装的SSH服务器（`sshd`）是否链接到`liblzma`。不链接到lzma的SSH服务器不会受CVE-2024-3094的影响，因为后门永远不会激活。

## 要求

使用`strings`工具（`binutils`的一部分）

```
sudo apt install binutils
```

## 使用方法

```bash
./cve-2024-3094-detector.sh
```

该工具将检查上一节中提到的前提条件。

File Snapshot


 [4.0K]  /data/pocs/2116ea5aae363431408a88c116a77d6d141f0835
├── [3.7K]  cve-2024-3094-detector.sh
├── [ 11K]  LICENSE
└── [ 924]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!