增加CVE-2024-3094 poc

2024-04-02 10:37:31 +08:00 · 2024-04-02 10:37:31 +08:00 · 6fbee44301
parent 0e8574763e
commit 6fbee44301
3 changed files with 96 additions and 0 deletions
--- a/data/SystemPocs/CVE-2024-3094/CVE-2024-3094.sh
+++ b/data/SystemPocs/CVE-2024-3094/CVE-2024-3094.sh
@ -0,0 +1,47 @@
 #!/bin/bash
 # script to detect CVE-2024-3094
 # original script:
 # https://www.openwall.com/lists/oss-security/2024/03/29/4
 # modified (fixed and features added) by cyclone
 # https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh
 # tested on debian
 # https://nvd.nist.gov/vuln/detail/CVE-2024-3094
 # https://github.com/advisories/GHSA-rxwq-x6h5-x525
 # v1.0.0; 2024-03-29
 #set -eu
 #clear
 #echo "Checking system for CVE-2024-3094 Vulnerability..."
 #echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
 # find path to liblzma used by sshd
 # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
 sshd_path=$(whereis -b sshd | awk '{print $2}')
 path=$(ldd "$sshd_path" 2>/dev/null | grep liblzma | awk '{print $3}' | head -n 1)
 if [ -z "$path" ]; then
 #echo
 #echo "Probably not vulnerable (liblzma not found)"
 echo fail
 exit
 fi
 # check for function signature
 # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
 #echo
 #echo "Checking for function signature in liblzma..."
 if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
 #echo "Function signature in liblzma: VULNERABLE"
 echo successfully
 else
 #echo "Function signature in liblzma: OK"
 echo fail
 fi
--- a/data/SystemPocs/CVE-2024-3094/CVE-2024-3094.yaml
+++ b/data/SystemPocs/CVE-2024-3094/CVE-2024-3094.yaml
@ -0,0 +1,47 @@
 FormatVer: 20240330
 Id: CVE-2024-3094
 Author: liwenjie@kylinos.cn
 Belong: system
 Package: xz-utils
 BugID: 
 PocHazardLevel: low
 Source: 
 SiteInfo:
    Name: liblzma/xz官方库被植入后门漏洞
    Severity: high
    Description: 
        xz-utils软件包5.6.0到5.6.1版本中，存在被供应链攻击并植入后门风险（https://www.openwall.com/lists/oss-security/2024/03/29/4）。该后门可能会允许恶意行为者破坏sshd身份验证，从而允许对整个系统进行远程未经授权的访问。
    ScopeOfInfluence:
        5.6.0<=xz-utils<=5.6.1
    References:
        - 
    SiteClassification:
        CvssMetrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
        CvssScore: 10
        CveId: None
        CweId: None
        CnvdId: None
        KveId: CVE-2024-3094
    Tags: 
        - 后门
 SiteRequests:
    Implement: 
        ImArray:
            - inter : bash
              InterArgs :
              Exec : CVE-2024-3094.sh
        ExpireTime: 35   #second
        # < input
        # > output 
        # . wait
        # ? condition
        # : content
        #
        #组合起来
        # >. 等待直到输出 
        # << 输入字符
        # >?判断条件
        Inter:
            - ">?:successfully" #ture
        Condition: None
--- a/data/SystemPocs/SystemPocs.yaml
+++ b/data/SystemPocs/SystemPocs.yaml
@ -33,3 +33,5 @@ ExplorerItems:
    - ConfigFile: CVE-2023-0054/CVE-2023-0054.yaml
    - ConfigFile: CVE-2023-0051/CVE-2023-0051.yaml
    - ConfigFile: CVE-2023-0288/CVE-2023-0288.yaml
    #
    - ConfigFile: CVE-2024-3094/CVE-2024-3094.yaml