Merge pull request #9458 from projectdiscovery/CVE-2024-3094

Added local check for CVE-2024-3094
2024-04-10 12:07:23 +05:30 · 2024-04-10 12:07:23 +05:30 · 999de7f47b
parent a6ce78d54f 76c223d190
commit 999de7f47b
1 changed files with 61 additions and 0 deletions
--- a/code/cves/2024/CVE-2024-3094.yaml
+++ b/code/cves/2024/CVE-2024-3094.yaml
@ -0,0 +1,61 @@
+id: CVE-2024-3094
+
+info:
+  name: XZ - Embedded Malicious Code
+  author: pdteam
+  severity: critical
+  description: |
+    Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
+  reference:
+    - https://www.openwall.com/lists/oss-security/2024/03/29/4
+    - https://access.redhat.com/security/cve/CVE-2024-3094
+    - https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
+    - https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2272210
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2024-3094
+    cwe-id: CWE-506
+    epss-score: 0.00079
+    epss-percentile: 0.32887
+    cpe: cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: tukaani
+    product: xz
+  tags: cve,cve2024,local,code,xz,backdoor
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      # find path to liblzma used by sshd
+      path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
+
+      # does it even exist?
+      if [ "$path" == "" ]
+      then
+        echo probably not vulnerable
+        exit
+      fi
+
+      # check for function signature
+      if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
+      then
+        echo probably vulnerable
+      else
+        echo probably not vulnerable
+      fi
+
+    matchers:
+      - type: word
+        words:
+          - "probably vulnerable"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - response