Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-3094 PoC — Xz: malicious code in distributed source

Source
https://github.com/badsectorlabs/ludus_xz_backdoor
Associated Vulnerability
Title:Xz: malicious code in distributed source (CVE-2024-3094)
Description:Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Description
An Ansible Role that installs the xz backdoor (CVE-2024-3094) on a Debian host and optionally installs the xzbot tool.
Readme
# Ansible Role: xz backdoor (CVE-2024-3094) (for [Ludus](https://ludus.cloud))

An Ansible Role that installs the [xz backdoor (CVE-2024-3094)](https://www.openwall.com/lists/oss-security/2024/03/29/4) on a Debian host and optionally installs the [xzbot](https://github.com/amlweems/xzbot) tool.

> [!WARNING]
> This role deploys malware on purpose!
> Without exposing the host to the internet you *should* be safe, but it's still malware. Be careful.

![demo](demo.jpeg)

## Requirements

Debian based OS

## Role Variables

Available variables are listed below, along with default values (see `defaults/main.yml`):

    # Install the xzbot cli tool used to send commands to the backdoor. It is installed to /usr/bin/xzbot
    ludus_xz_backdoor_install_xzbot: true
    # Install the xz backdoor library by linking it to liblzma.so.5 used by the system and rebooting
    ludus_xz_backdoor_install_backdoor: true
    # Remove the backdoor by replacing the symlink to liblzma.so.5 with the original and rebooting
    ludus_xz_backdoor_uninstall_backdoor: false

## Dependencies

None.

## Example Playbook

```yaml
- hosts: xz_backdoor_hosts
  roles:
    - badsectorlabs.ludus_xz_backdoor
  vars:
    ludus_xz_backdoor_install_xzbot: true
    ludus_xz_backdoor_install_backdoor: true
```

## Example Ludus Range Config

```yaml
ludus:
  - vm_name: "{{ range_id }}-xz-backdoor"
    hostname: "{{ range_id }}-xz-backdoor"
    template: debian-12-x64-server-template
    vlan: 10
    ip_last_octet: 2
    ram_gb: 2
    cpus: 2
    linux: true
    roles:
      - badsectorlabs.ludus_xz_backdoor
    role_vars:
      ludus_xz_backdoor_install_xzbot: true
      ludus_xz_backdoor_install_backdoor: true
```

## License

GPLv3

## Author Information

This role was created by [Bad Sector Labs](https://github.com/badsectorlabs), for [Ludus](https://ludus.cloud/).
File Snapshot

 [4.0K]  /data/pocs/6c397ee04ce333d14b32dd10d6a18322cda39e32
├── [4.0K]  defaults
│   └── [ 127]  main.yml
├── [425K]  demo.jpeg
├── [4.0K]  files
│   └── [3.2M]  xzbot
├── [ 34K]  LICENSE
├── [ 368]  ludus-config.yml
├── [4.0K]  meta
│   └── [ 685]  main.yml
├── [1.8K]  README.md
└── [4.0K]  tasks
    ├── [4.3K]  download_file.yml
    ├── [1.2K]  install_backdoor.yml
    ├── [1.2K]  main.yml
    └── [ 745]  uninstall_backdoor.yml

4 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →