Skip to content

Latest commit

 

History

History
59 lines (42 loc) · 1.86 KB

README.md

File metadata and controls

59 lines (42 loc) · 1.86 KB

xz backdoor container image

The container image of xz backdoor (CVE-2024-3094) based on an amazing work from @amlweems's xzbot project that can be run on both x86_64 and Apple Silicon (via QEMU or rosetta).

THIS IS FOR LEARNING PURPOSE ONLY!

Demo

xz-backdoor demo

Overview

The xz-backdoor container images don't rely on systemd due to the fact that the exploit can be triggered with only just sshd if certain conditions are met. As a result, it allows us to start the container without --privileged flag which is considered insecure.

Versions

Both versions of the xz-backdoor are available as image tags.

  • 5.6.0
  • 5.6.1 (latest)

Getting started

Prerequisites

Usage

1. Start the container image

Tip

A specific version of liblzma can be specified via image tag e.g. rezigned/xz-backdoor:5.6.0.

docker run --rm -it -d \
  --name xz-backdoor \
  --platform linux/amd64 \
  rezigned/xz-backdoor:latest

2. Run a command via xzbot

Note

The output of the default command (id) is redirected to /tmp/.xz.

See https://github.com/amlweems/xzbot for more details.

# default command `id > /tmp/.xz`
docker exec -it `docker ps -f name=xz-backdoor -q` ./xzbot

# custom command
docker exec -it `docker ps -f name=xz-backdoor -q` ./xzbot -cmd "uname -a > /tmp/.xz"

Acknowledgements