¡¾Îó²îͨ¸æ¡¿XZ-Utils¹©Ó¦Á´ºóÃÅÎó²î£¨CVE-2024-3094£©

Ðû²¼Ê±¼ä 2024-03-30


Ò»¡¢Îó²î¸ÅÊö

Îó²îÃû³Æ

      XZ-Utils¹©Ó¦Á´ºóÃÅÎó²î

CVE   ID

CVE-2024-3094

Îó²îÀàÐÍ

ºóÃÅÎó²î

·¢Ã÷ʱ¼ä

2024-03-30

Îó²îÆÀ·Ö

10.0

Îó²îÆ·¼¶

ÑÏÖØ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ʹÓÃÄѶÈ

µÍ

Óû§½»»¥

ÎÞ

PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

δ֪

 

XZ-UtilsÊÇLinux/UnixϵͳÖÐÓÃÓÚ´¦Öóͷ£.xzºÍ.lzmaÎļþµÄÏÂÁîÐÐѹËõ¹¤¾ß£¬£¬£¬£¬£¬¼¯³ÉÁËliblzmaµÈ×é¼þ¡£¡£¡£¡£¡£¡£¡£

2024Äê3ÔÂ30ÈÕ£¬£¬£¬£¬£¬ÍòÀû¹ú¼Ê¹ÙÍøVSRC¼à²âµ½ÍâÑóÇå¾²Ñо¿Ô±Ðû²¼ÐÂÎÅ£¬£¬£¬£¬£¬ÔÚxz-utilsÈí¼þ°ü5.6.0µ½5.6.1°æ±¾ÖУ¬£¬£¬£¬£¬±£´æ¹©Ó¦Á´¹¥»÷¼°Ö²ÈëºóÃÅΣº¦£¬£¬£¬£¬£¬Îó²î±àºÅΪCVE-2024-3094£¬£¬£¬£¬£¬Îó²îµÄCVSSÆÀ·ÖΪ10.0¡£¡£¡£¡£¡£¡£¡£

3ÔÂ29ÈÕ£¬£¬£¬£¬£¬Î¢ÈíPostgreSQL¿ª·¢Ö°Ô±Andres FreundÔÚÊÓ²ìSSHÐÔÄÜÎÊÌâʱ£¬£¬£¬£¬£¬ÔÚ¿ªÔ´Çå¾²ÓʼþÁбíÖз¢Ìû³Æ£¬£¬£¬£¬£¬ËûÔÚxzÈí¼þ°üÖз¢Ã÷ÁËÒ»¸öÉæ¼°»ìÏý¶ñÒâ´úÂëµÄ¹©Ó¦Á´¹¥»÷¡£¡£¡£¡£¡£¡£¡£¶ñÒâ´úÂëÐÞ¸ÄÁËliblzma´úÂëÖеĺ¯Êý£¬£¬£¬£¬£¬¸Ã´úÂëÊÇ XZ UtilsÈí¼þ°üµÄÒ»²¿·Ö¡£¡£¡£¡£¡£¡£¡£ÓÉÓÚSSHµ×²ãÒÀÀµÁËliblzmaµÈ×é¼þ£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÄÜʹÓÃÕâÒ»Îó²îÆÆËðsshdÈÏÖ¤£¬£¬£¬£¬£¬²¢Ô¶³Ì»ñÈ¡¶ÔÕû¸öϵͳµÄδÊÚȨ»á¼û¡£¡£¡£¡£¡£¡£¡£


¶þ¡¢Ó°Ïì¹æÄ£

XZ Utils == 5.6.0

XZ Utils == 5.6.1

ÒÑÖªÒÔÏÂLinux¿¯Ðа棨²¿·Ö£©¿ÉÄÜÊܸÃÎó²îÓ°Ï죺

ÊÜÓ°Ïì²úÆ·/ϵͳ°æ±¾

²Î¿¼Á´½Ó

Fedora   Rawhide

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Fedora   41

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Debian   ²âÊÔ¡¢²»Îȹ̺ÍʵÑ鿯Ðаæ5.5.1alpha-0.1 - 5.6.1-1

https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE   Tumbleweed / openSUSE MicroOS £¨3 Ô 7 ÈÕÖÁ3ÔÂ28ÈÕʱ´ú£¬£¬£¬£¬£¬Tumbelweed   ºÍ MicroOS ÖаüÀ¨ÁË xz µÄºóÃÅ°æ±¾£©

https://news.opensuse.org/2024/03/29/xz-backdoor/

Kali   Linux£¨3ÔÂ26ÈÕÖÁ3ÔÂ28ÈÕʱ´ú¿¯ÐеÄxz-utils   5.6.0-0.2£©

https://www.kali.org/blog/about-the-xz-backdoor/

Arch   Linux

https://security.archlinux.org/CVE-2024-3094

MACOS   HomeBrew x64


Alpine   Linux Edge

https://security.alpinelinux.org/vuln/CVE-2024-3094

 

ÏÖÔÚÒÑÖªFedora 40¡¢RedHat ËùÓа汾¡¢Debian ËùÓÐÎȹ̰桢SUSEËùÓа汾µÈLinux¿¯Ðа治Ò×Êܵ½Ó°Ïì¡£¡£¡£¡£¡£¡£¡£ÏêϸÊÜÓ°Ïìϵͳ¼°zx°æ±¾¿É²Î¿¼£º

https://repology.org/project/xz/versions

 

 

Èý¡¢Çå¾²²½·¥

3.1 ¼ì²â

1.Óû§¿ÉÒÔͨ¹ýÖ´ÐÐÒÔÏÂÏÂÁîÅжÏʹÓõÄxzÊÇ·ñΪÊÜÓ°ÏìµÄ°æ±¾£º

xz ¨Cversion


2.Ò²¿ÉʹÓÃÈçϾ籾¼ì²éϵͳÊÇ·ñ±»Ñ¬È¾ºóÃÅ£º

#! /bin/bash

set -eu

# find path to liblzma used by sshd

path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"

 

# does it even exist?

if [ "$path" == "" ]

then

  echo probably not vulnerable

  exit

fi

 

# check for function signature

if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410

then

  echo probably vulnerable

else

  echo probably not vulnerable

fi

Á´½Ó£º

https://github.com/byinarie/CVE-2024-3094-info/blob/main/xz_cve-2024-3094-detect.sh

 

3. CVE-2024-3094µÄYara¹æÔò£º

rule BKDR_XZUtil_Script_CVE_2024_3094_Mar24_1 {

   meta:

      description = "Detects make file and script contents used by the backdoored XZ library (xzutil) CVE-2024-3094."

      author = "Florian Roth"

      reference = "https://www.openwall.com/lists/oss-security/2024/03/29/4"

      date = "2024-03-30"

      score = 80

      hash = "d44d0425769fa2e0b6875e5ca25d45b251bbe98870c6b9bef34f7cea9f84c9c3"

   strings:

      $x1 = "/bad-3-corrupt_lzma2.xz | tr " ascii

      $x2 = "/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|" ascii

      $x3 = "eval $zrKcKQ" ascii

   condition:

      1 of them

}

 

rule BKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1 {

   meta:

      description = "Detects injected code used by the backdoored XZ library (xzutil) CVE-2024-3094."

      author = "Florian Roth"

      reference = "https://www.openwall.com/lists/oss-security/2024/03/29/4"

      date = "2024-03-30"

      score = 75

      hash1 = "319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae"

      hash2 = "605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4"

      hash3 = "8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd"

      hash4 = "b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963"

      hash5 = "cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537"

      hash6 = "5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049"

   strings:

      $op1 = { 48 8d 7c 24 08 f3 ab 48 8d 44 24 08 48 89 d1 4c 89 c7 48 89 c2 e8 ?? ?? ?? ?? 89 c2 }

      $op2 = { 31 c0 49 89 ff b9 16 00 00 00 4d 89 c5 48 8d 7c 24 48 4d 89 ce f3 ab 48 8d 44 24 48 }

      $op3 = { 4d 8b 6c 24 08 45 8b 3c 24 4c 8b 63 10 89 85 78 f1 ff ff 31 c0 83 bd 78 f1 ff ff 00 f3 ab 79 07 }

 

      /* function signature from detect.sh provided by Vegard Nossum */

      $xc1 = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 }

   condition:

      uint16(0) == 0x457f

      and (

         all of ($op*)

         or $xc1

      )

}

 

rule BKDR_XZUtil_KillSwitch_CVE_2024_3094_Mar24_1 {

   meta:

      description = "Detects kill switch used by the backdoored XZ library (xzutil) CVE-2024-3094."

      author = "Florian Roth"

      reference = "https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01?permalink_comment_id=5006558#gistcomment-5006558"

      date = "2024-03-30"

      score = 85

   strings:

      $x1 = "yolAbejyiejuvnup=Evjtgvsh5okmkAvj"

   condition:

      $x1

}

Á´½Ó£º

https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

3.2 Éý¼¶°æ±¾

ÈôÊÇÈ·ÈÏÊÜÓ°Ï죬£¬£¬£¬£¬¿É½«XZ Utils½µ¼¶µ½Î´ÊÜÓ°ÏìµÄ°æ±¾£¬£¬£¬£¬£¬ÈçXZ Utils 5.4.6 Stable¡£¡£¡£¡£¡£¡£¡£

×¢£ºÏÖÔÚhttps://github.com/tukaani-project/xz´æ´¢¿âÒѱ»½ûÓᣡ£¡£¡£¡£¡£¡£

3.3 ͨÓý¨Òé

l  °´ÆÚ¸üÐÂϵͳ²¹¶¡£¬£¬£¬£¬£¬ïÔ̭ϵͳÎó²î£¬£¬£¬£¬£¬ÌáÉýЧÀÍÆ÷µÄÇå¾²ÐÔ¡£¡£¡£¡£¡£¡£¡£

l  ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬£¬£¬£¬£¬Ð޸ķÀ»ðǽսÂÔ£¬£¬£¬£¬£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻòЧÀÍ£¬£¬£¬£¬£¬ïÔÌ­½«Î£ÏÕЧÀÍ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬£¬£¬£¬£¬ïÔÌ­¹¥»÷Ãæ¡£¡£¡£¡£¡£¡£¡£

l  ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬£¬£¬£¬£¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£¡£¡£¡£¡£¡£¡£

l  ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬£¬£¬£¬£¬ÆôÓöàÒòËØÈÏÖ¤»úÖƺÍ×îСȨÏÞÔ­Ôò£¬£¬£¬£¬£¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏ޶ȡ£¡£¡£¡£¡£¡£¡£

l  ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£¡£¡£¡£¡£¡£¡£

3.4 ²Î¿¼Á´½Ó

https://access.redhat.com/security/cve/CVE-2024-3094 

https://bugzilla.redhat.com/show_bug.cgi?id=2272210  

https://www.openwall.com/lists/oss-security/2024/03/29/4  

https://www.kaspersky.com/blog/cve-2024-3094-vulnerability-backdoor/50873/

https://tukaani.org/xz-backdoor/

 


ËÄ¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2024-03-30

Ê×´ÎÐû²¼

V1.1

2024-03-30

ÐÂÔö¼ì²â¾ç±¾¡¢ÊÜÓ°Ïìϵͳ°æ±¾

V1.2

2024-04-01

ÐÂÔöYara¹æÔò¡¢¸üÐÂÎó²îÐÅÏ¢¡¢Éý¼¶°æ±¾µÈ



Îå¡¢¸½Â¼

5.1 ÍòÀû¹ú¼Ê¹ÙÍø¼ò½é

ÍòÀû¹ú¼Ê¹ÙÍø½¨ÉèÓÚ1996Ä꣬£¬£¬£¬£¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ½¨ÉèµÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Çå¾²¸ß¿Æ¼¼ÆóÒµ¡£¡£¡£¡£¡£¡£¡£ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·¡¢Ç徲ЧÀͽâ¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£¡£¡£¡£¡£¡£¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°ÍòÀû¹ú¼Ê¹ÙÍø´óÏ㬣¬£¬£¬£¬¹«Ë¾Ô±¹¤6000ÓàÈË£¬£¬£¬£¬£¬Ñз¢ÍŶÓ1200ÓàÈË, ÊÖÒÕЧÀÍÍŶÓ1300ÓàÈË¡£¡£¡£¡£¡£¡£¡£ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬£¬£¬£¬£¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ¡£¡£¡£¡£¡£¡£¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС£¡£¡£¡£¡£¡£¡££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´£¬£¬£¬£¬£¬ÍòÀû¹ú¼Ê¹ÙÍøÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬£¬£¬£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬£¬£¬£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Æ𾢡£¡£¡£¡£¡£¡£¡£

5.2 ¹ØÓÚÍòÀû¹ú¼Ê¹ÙÍø

ÍòÀû¹ú¼Ê¹ÙÍøÇå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑÐû²¼1000¶à¸öÎó²îͨ¸æºÍΣº¦Ô¤¾¯£¬£¬£¬£¬£¬ÎÒÃǽ«Ò»Á¬¸ú×ÙÈ«Çò×îеÄÍøÂçÇå¾²ÊÂÎñºÍÎó²î£¬£¬£¬£¬£¬ÎªÆóÒµµÄÐÅÏ¢Çå¾²±£¼Ý»¤º½¡£¡£¡£¡£¡£¡£¡£

¹Ø×¢ÎÒÃÇ£º

image.png