Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/boundaryx/cloudrasp-log4j2
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
一个针对防御 log4j2 CVE-2021-44228 漏洞的 RASP 工具。 A Runtime Application Self-Protection module specifically designed for log4j2 RCE (CVE-2021-44228) defense.
Readme
# CloudArmor · Runtime Application Self-Protection Module - Log4j2 Version

[简体中文](README_ZH.md)

*This project is a local version from CloudArmor specifically built for defending
Log4j2 CVE-2021-44228 . No network connection is required to run this project.*

**Please DO TESTING before deploying it to production environment.**

The application self-defense module uses RASP technology to inject probes into Java applications. The detection of log4j2 is achieved by detecting the execution context, which can also provide protection for non-Web business programs.

The defense module will block JNDI injection initiated through log4j2 by default. 

It is worth noting that although Oracle no longer loads remote classes through JNDI by default in 6u211, 7u201, 8u191, and 11.0.1, attackers have discovered that remote command execution can still be accomplished through third-party components such as tomcat-el. 

## Installation

This project includes two JAR packages, ```rasp-loader.jar``` and ```rasp-core.jar```, which have been compiled to dist.

The self-defense module supports normal and restart-free installation. 

### Normal installation

Append ```-javaagent:rasp-loader.jar``` to Java program startup script argument list

Example: for SpringBoot applications, modify the argument list to append ```java -javaagent:rasp-loader.jar -jar springboot.jar ```


### Restart-free installation

Execute ```java -jar rasp-loader.jar```, and follow the prompts to inject into specific JVM processes 

![img.png](img/1.png)

## Interception test

![img.png](img/2.png)

## Compile from source

Run ```build.sh```

## Compatibility

Support JDK from version 6 to 16
File Snapshot

 [4.0K]  /data/pocs/05aaa614416810cadff761f1090e4bba5c6b186b
├── [ 409]  build.sh
├── [4.0K]  dist
│   ├── [813K]  rasp-core.jar
│   └── [ 12K]  rasp-loader.jar
├── [4.0K]  img
│   ├── [ 18K]  1.png
│   └── [160K]  2.png
├── [ 11K]  LICENSE
├── [1.4K]  pom.xml
├── [4.0K]  rasp-core
│   ├── [1.7K]  dependency-reduced-pom.xml
│   ├── [2.4K]  pom.xml
│   ├── [4.0K]  src
│   │   └── [4.0K]  main
│   │       └── [4.0K]  java
│   │           └── [4.0K]  cn
│   │               └── [4.0K]  boundaryx
│   │                   └── [4.0K]  rasp
│   │                       ├── [4.0K]  analyzer
│   │                       │   └── [ 733]  JndiAnalyzer.java
│   │                       ├── [2.4K]  ClassTransformer.java
│   │                       ├── [4.0K]  exception
│   │                       │   └── [ 319]  RASPSecurityException.java
│   │                       ├── [4.0K]  hooks
│   │                       │   └── [2.7K]  JndiHook.java
│   │                       ├── [ 595]  RASPLauncher.java
│   │                       └── [4.0K]  utils
│   │                           ├── [8.9K]  BytecodeUtils.java
│   │                           └── [2.2K]  StackTrace.java
│   └── [4.0K]  target
│       ├── [4.0K]  classes
│       │   └── [4.0K]  cn
│       │       └── [4.0K]  boundaryx
│       │           └── [4.0K]  rasp
│       │               ├── [4.0K]  analyzer
│       │               │   └── [1.4K]  JndiAnalyzer.class
│       │               ├── [3.1K]  ClassTransformer.class
│       │               ├── [4.0K]  exception
│       │               │   └── [ 499]  RASPSecurityException.class
│       │               ├── [4.0K]  hooks
│       │               │   └── [2.7K]  JndiHook.class
│       │               ├── [ 784]  RASPLauncher.class
│       │               └── [4.0K]  utils
│       │                   ├── [7.0K]  BytecodeUtils.class
│       │                   └── [1.9K]  StackTrace.class
│       ├── [4.0K]  maven-archiver
│       │   └── [ 101]  pom.properties
│       ├── [4.0K]  maven-status
│       │   └── [4.0K]  maven-compiler-plugin
│       │       ├── [4.0K]  compile
│       │       │   └── [4.0K]  default-compile
│       │       │       ├── [ 304]  createdFiles.lst
│       │       │       └── [ 766]  inputFiles.lst
│       │       └── [4.0K]  testCompile
│       │           └── [4.0K]  default-testCompile
│       │               └── [   0]  inputFiles.lst
│       ├── [ 12K]  original-rasp-core.jar
│       └── [813K]  rasp-core.jar
├── [4.0K]  rasp-loader
│   ├── [2.6K]  pom.xml
│   ├── [4.0K]  src
│   │   └── [4.0K]  main
│   │       ├── [4.0K]  java
│   │       │   └── [4.0K]  cn
│   │       │       └── [4.0K]  boundaryx
│   │       │           └── [4.0K]  rasp
│   │       │               ├── [5.9K]  Agent.java
│   │       │               ├── [1.4K]  EntryPoint.java
│   │       │               ├── [1.1K]  RASPJvm.java
│   │       │               ├── [1.2K]  RASPLoader.java
│   │       │               └── [2.4K]  RASPVMLoader.java
│   │       └── [4.0K]  resources
│   │           └── [4.0K]  resources
│   │               └── [1.3K]  logo
│   └── [4.0K]  target
│       ├── [4.0K]  classes
│       │   ├── [4.0K]  cn
│       │   │   └── [4.0K]  boundaryx
│       │   │       └── [4.0K]  rasp
│       │   │           ├── [6.4K]  Agent.class
│       │   │           ├── [2.9K]  EntryPoint.class
│       │   │           ├── [1.6K]  RASPJvm.class
│       │   │           ├── [1.8K]  RASPLoader.class
│       │   │           └── [3.9K]  RASPVMLoader.class
│       │   └── [4.0K]  resources
│       │       └── [1.3K]  logo
│       ├── [4.0K]  maven-archiver
│       │   └── [ 103]  pom.properties
│       ├── [4.0K]  maven-status
│       │   └── [4.0K]  maven-compiler-plugin
│       │       ├── [4.0K]  compile
│       │       │   └── [4.0K]  default-compile
│       │       │       ├── [ 169]  createdFiles.lst
│       │       │       └── [ 509]  inputFiles.lst
│       │       └── [4.0K]  testCompile
│       │           └── [4.0K]  default-testCompile
│       │               └── [   0]  inputFiles.lst
│       ├── [ 12K]  original-rasp-loader.jar
│       └── [ 12K]  rasp-loader.jar
├── [1.6K]  README.md
└── [1.4K]  README_ZH.md

51 directories, 50 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.