Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • What is XZ Utils?
  • What happened? (Why is it that the exploit can take place even though its an open source project?)
  • Started by Social Engineering
  • Github Repository
  • How is the payload being compiled?
  • What system does it affect?
  • What does the payload do?
  • Interview Questions
  • Author
  • References:
  1. CVE

XZ Outbreak CVE-2024-3094

  • CVE SCORE 10 (MAX)

  • Affects XZ Utils Version 5.6.0 & 5.6.1

What is XZ Utils?

XZ Utils is a collection of open-source tools and libraries for the XZ compression format. It provides high compression ratio and has support for multiple compression algorithms, notably LZMA2.

What happened? (Why is it that the exploit can take place even though its an open source project?)

Started by Social Engineering

The project developers were overwhelmed with work and needed help. There were multiple comments made that the developers are not following up and are slow(which added pressure to the developer) The attacker saw it as an opportunity and offered to help, which was approved.

Github Repository

2 compressed test files containing the malicious binary code were committed into the project.

How is the payload being compiled?

The binary files are injected into the build process and when they are de-obfuscated, they will turn into bash scripts. These bash scripts unwraps the multiple layers of hidden data inside one of the large compressed LZMA file and extracts the evil object layer file and makes it part of the build process. This makes the evil object file dependented on by the linker at compile time.

What system does it affect?

  • x86-64 (Debian & RPM-based systems)

  • Distro with glic (for IFUNC)

What does the payload do?

The payload stays dormant unless a specific third-party patch of SSH server is used. Under the right conditions, it enables an attacker to break sshd authentication and gain unauthorised access to the system remotely.

Interview Questions

  • What do you think can be done to ensure the security of open source projects?

  • If you were responsible for responding to an incident like CVE-2024-3094, what immediate steps would you take to mitigate the threat?

  • How important is it for security professionals to understand the software build process and third-party dependencies? Why?

Author

References:

https://en.wikipedia.org/wiki/XZ_Utils_backdoor https://www.youtube.com/watch?v=0pT-dWpmwhA https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

PreviousWindows PrefetchingNextLog4J Vulnerability (CVE-2021-44228)

Last updated 1 year ago

Tian Le