Skip to content

Instantly share code, notes, and snippets.

@darkerego

darkerego/CVE-2024-3094_check.sh

Created March 29, 2024 19:07
Show Gist options
  • Save darkerego/b8fe6b2ebf2949b5dbfa1593204ae659 to your computer and use it in GitHub Desktop.
Save darkerego/b8fe6b2ebf2949b5dbfa1593204ae659 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2024-3094_check.sh
#! /bin/bash
# Modified to run both (redudantly, yes, I know, I am paranoid, you should be too) checks
#
set -eu
# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
echo 'Check one: does it even exist?'
# does it even exist?
if [ "$path" == "" ]
then
echo probably not vulnerable
# exit
fi
echo 'Check 2: function signature'
# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi
@darkerego
Copy link
Author

I have updated your script @Sn0w3y with the suggestion of @eliehalimi to not use ldd. Changes I have made are

path_to_sshd=$(which sshd 2>/dev/null)
/lib64/ld-linux-x86-64.so.2 --verify "$path_to_sshd"
linked_sshd_libraries=$(LD_TRACE_LOADED_OBJECTS=1 /lib64/ld-linux-x86-64.so.2 "$path_to_sshd")
path_cve_2024_3094="$(printf "%s" "$linked_sshd_libraries" | grep liblzma | grep -oP '/[^ ]+')"

I did not want to clutter up the comment section. I have put an updated script in my gist here: https://gist.github.com/amaddio/d95391c48562f6f40235ab5e839bc1ee

Great, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment