关联漏洞
描述
An agent to hotpatch the log4j RCE from CVE-2021-44228.
介绍
# Log4jHotPatch
This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the `lookup()` method of all loaded `org.apache.logging.log4j.core.lookup.JndiLookup` instances to unconditionally return the string "Patched JndiLookup::lookup()". It is designed to address the [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228/) remote code execution vulnerability in Log4j without restarting the Java process. This tool will also address [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046/).
This has been currently only tested with JDK 8, 11, 15 and 17 on Linux!
## Building
### Gradle
To build on linux, mac and Windows subsystem for linux
```
./gradlew build
```
To build on Windows
```
.\gradlew.bat build
```
Depending on the platform you are building. This will generate `build/libs/Log4jHotPatch.jar`
### Maven
To build using Maven use
```
mvn clean package
```
This will generate a `target/Log4jHotPatch.jar`.
## Running
JDK 8
```
java -cp <java-home>/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch <java-pid>
```
JDK 11 and newer
```
java -jar Log4jHotPatch.jar <java-pid>
```
### Running the static agent
Simply add the agent to your java command line as follows:
```
java -classpath <class-path> -javaagent:Log4jHotPatch.jar <main-class> <arguments>
```
### Testing the agent
There are a set of tests that can be run outside Gradle or Maven.
```
build-tools/bin/run_tests.sh Log4jHotPatch.jar <JDK_ROOT>
```
## Known issues
If you get an error like:
```
Exception in thread "main" com.sun.tools.attach.AttachNotSupportedException: The VM does not support the attach mechanism
at jdk.attach/sun.tools.attach.HotSpotAttachProvider.testAttachable(HotSpotAttachProvider.java:153)
at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:115)
at Log4jHotPatch.main(Log4jHotPatch.java:139)
```
this means that your JVM is refusing any kind of help because it is running with `-XX:+DisableAttachMechanism`.
If you get an error like:
```
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: target process not responding or HotSpot VM not loaded
at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:208)
at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:182)
at Log4jHotPatch.main(Log4jHotPatch.java:259)
```
this means you're running as a different user (including root) than the target JVM. JDK 8 can't handle patching as root user (and triggers a thread dump in the target JVM which is harmless). In JDK 11 patching a non-root process from a root process works just fine.
If you get an error like this in the target process:
```
Exception in thread "Attach Listener" java.lang.ExceptionInInitializerError
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
at sun.instrument.InstrumentationImpl.loadClassAndCallAgentmain(InstrumentationImpl.java:411)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "log4jFixerAgentVersion" "write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.System.setProperty(System.java:794)
at Log4jHotPatch.<clinit>(Log4jHotPatch.java:66)
```
it means the target process has a security manager installed. Look for this command line option in the target process:
```
-Djava.security.policy=/local/apollo/.../apollo-security.policy
```
If you encounter this error, make sure you are using the latest version of the tool
**Important:** If you attempted to patch as the wrong user, you may need to delete `.attach_pid<pid>` files (found in `/tmp` and/or the CWD of the VM process) before trying again. These files need to have the right ownership for attach to succeed.
文件快照
[4.0K] /data/pocs/5610b2e1b6ebe4db440abad08eca4bfcd6cb0e2d
├── [ 845] build.gradle
├── [4.0K] build-tools
│ └── [4.0K] bin
│ └── [5.8K] run_tests.sh
├── [3.8K] CHANGELOG.md
├── [ 309] CODE_OF_CONDUCT.md
├── [3.1K] CONTRIBUTING.md
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 58K] gradle-wrapper.jar
│ └── [ 200] gradle-wrapper.properties
├── [5.6K] gradlew
├── [2.7K] gradlew.bat
├── [ 592] LICENSE
├── [ 67] NOTICE
├── [4.8K] pom.xml
├── [4.5K] README.md
├── [ 51] settings.gradle
├── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ ├── [4.0K] com
│ │ │ └── [4.0K] amazon
│ │ │ └── [4.0K] corretto
│ │ │ └── [4.0K] hotpatch
│ │ │ └── [4.0K] org
│ │ │ └── [4.0K] objectweb
│ │ │ └── [4.0K] asm
│ │ │ ├── [6.2K] AnnotationVisitor.java
│ │ │ ├── [ 27K] AnnotationWriter.java
│ │ │ ├── [ 16K] Attribute.java
│ │ │ ├── [ 13K] ByteVector.java
│ │ │ ├── [167K] ClassReader.java
│ │ │ ├── [2.8K] ClassTooLargeException.java
│ │ │ ├── [ 16K] ClassVisitor.java
│ │ │ ├── [ 44K] ClassWriter.java
│ │ │ ├── [6.1K] ConstantDynamic.java
│ │ │ ├── [ 10K] Constants.java
│ │ │ ├── [5.5K] Context.java
│ │ │ ├── [2.6K] CurrentFrame.java
│ │ │ ├── [3.9K] Edge.java
│ │ │ ├── [5.7K] FieldVisitor.java
│ │ │ ├── [ 11K] FieldWriter.java
│ │ │ ├── [ 57K] Frame.java
│ │ │ ├── [7.1K] Handle.java
│ │ │ ├── [8.1K] Handler.java
│ │ │ ├── [ 30K] Label.java
│ │ │ ├── [3.4K] MethodTooLargeException.java
│ │ │ ├── [ 35K] MethodVisitor.java
│ │ │ ├── [ 99K] MethodWriter.java
│ │ │ ├── [6.6K] ModuleVisitor.java
│ │ │ ├── [9.4K] ModuleWriter.java
│ │ │ ├── [ 20K] Opcodes.java
│ │ │ ├── [3.9K] package.html
│ │ │ ├── [6.0K] RecordComponentVisitor.java
│ │ │ ├── [9.1K] RecordComponentWriter.java
│ │ │ ├── [4.0K] signature
│ │ │ │ ├── [1.8K] package.html
│ │ │ │ ├── [ 12K] SignatureReader.java
│ │ │ │ ├── [7.0K] SignatureVisitor.java
│ │ │ │ └── [7.8K] SignatureWriter.java
│ │ │ ├── [ 10K] Symbol.java
│ │ │ ├── [ 54K] SymbolTable.java
│ │ │ ├── [ 32K] Type.java
│ │ │ ├── [7.6K] TypePath.java
│ │ │ └── [ 17K] TypeReference.java
│ │ ├── [ 711] Log4jHotPatch17.java
│ │ └── [ 10K] Log4jHotPatch.java
│ └── [4.0K] resources
│ └── [ 242] MANIFEST.MF
├── [4.0K] test
│ ├── [270K] log4j-api-2.12.1.jar
│ ├── [1.6M] log4j-core-2.12.1.jar
│ ├── [ 79] security.policy
│ └── [2.2K] Vuln.java
├── [1.6K] THIRD_PARTY_LICENSE.md
└── [ 6] version.txt
17 directories, 60 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。