Xzbot: Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Signature yara-rules IoC Scanner Yara

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • xzbot

    notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

    • Instead of needing the honeypot openssh.patch at compile-time https://github.com/amlweems/xzbot/blob/main/openssh.patch

    How did the exploit do this at runtime?

    I know the chain was:

    opensshd -> systemd for notifications -> xz included as transient dependency

    How did liblzma.so.5.6.1 hook all the way back to openssh_RSA_verify when it was loaded into memory?

  • signature-base

    YARA signature and IOC database for my scanners and tools

    • > It doesn't matter.

    To understand the exact behavior and extend of the backdoor, this does matter. An end to end proof of how it works is exactly what was needed.

    > A way to check if servers are vulnerable is probably by querying the package manager

    Yes, this has been know since the initial report + later discovering what exact strings are present for the payload.

    https://github.com/Neo23x0/signature-base/blob/master/yara/b...

    > Not very sophisticated, but it'll work.

    Unfortunately, we live in a world with closed-servers and appliances - being able as a customer or pen tester rule out certain class of security issues without having the source/insights available is usually desirable.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • pam_2fa

    2nd factor authentication using PAM

  • knockknock

    A simple, secure, and stealthy port knocking implementation that does not use libpcap or bind to a socket interface.

    • It's old and there are probably friendlier options out there now, but

    https://github.com/moxie0/knockknock/blob/master/INSTALL

  • hn-search

    Hacker News Search

    • https://hn.algolia.com/?query=port%20knocking%20obscurity&ty...

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Exploit Outlook CVE-2023-23397 Yara - to detect .msg files exploiting CVE-2023-23397 in Microsoft Outlook

    1 project | /r/u_Tsofmetasploit | 16 Mar 2023

  • Exploit Outlook CVE-2023-23397 Yara - to detect .msg files exploiting CVE-2023-23397 in Microsoft Outlook

    1 project | /r/blueteamsec | 16 Mar 2023

  • OneNote Yara rule

    1 project | /r/blueteamsec | 27 Jan 2023

  • New Exchange Zero Day rumours [29th September]

    1 project | /r/msp | 29 Sep 2022

  • Nvidia Breach

    1 project | /r/AskNetsec | 4 Mar 2022