Last active
March 31, 2024 10:56
-
-
Save EricDriussi/563109a577c03f185da5c9b10cbaf1fb to your computer and use it in GitHub Desktop.
Modified version of "detect.sh" from https://www.openwall.com/lists/oss-security/2024/03/29/4 to check if system has xz backdoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env sh | |
| # modified version of "detect.sh" from https://www.openwall.com/lists/oss-security/2024/03/29/4 | |
| set -eu | |
| # find path to liblzma dep for sshd (empty if not found) | |
| path_to_lib="$(ldd "$(which sshd)" | grep liblzma | grep -o '/[^ ]*' || echo '')" | |
| if [ "$path_to_lib" = "" ]; then | |
| echo "your sshd does not depend on liblzma" | |
| echo "probably safe" | |
| exit | |
| fi | |
| # compare function signature with known backdoor signature | |
| sign="f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410" | |
| if hexdump -ve '1/1 "%.2x"' "$path_to_lib" | grep -q "$sign"; then | |
| echo "backdoor signature found" | |
| echo "probably vulnerable" | |
| echo "either update xz > 5.6.1 or downgrade to < 5.6.0" | |
| else | |
| echo "backdoor signature not found" | |
| echo "probably safe" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment