Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/corretto/hotpatch-for-apache-log4j2
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
An  agent to hotpatch the log4j RCE from CVE-2021-44228.
Readme
# Log4jHotPatch

This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the `lookup()` method of all loaded `org.apache.logging.log4j.core.lookup.JndiLookup` instances to unconditionally return the string "Patched JndiLookup::lookup()". It is designed to address the [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228/) remote code execution vulnerability in Log4j without restarting the Java process. This tool will also address [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046/).

This has been currently only tested with JDK 8, 11, 15 and 17 on Linux!

## Building
### Gradle
To build on linux, mac and Windows subsystem for linux
```
./gradlew build
```

To build on Windows
```
.\gradlew.bat build
```

Depending on the platform you are building. This will generate `build/libs/Log4jHotPatch.jar`

### Maven

To build using Maven use

```
mvn clean package
```

This will generate a `target/Log4jHotPatch.jar`.

## Running

JDK 8
```
java -cp <java-home>/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch <java-pid>
```

JDK 11 and newer
```
java -jar Log4jHotPatch.jar <java-pid>
```

### Running the static agent

Simply add the agent to your java command line as follows:
```
java -classpath <class-path> -javaagent:Log4jHotPatch.jar <main-class> <arguments>
```

### Testing the agent
There are a set of tests that can be run outside Gradle or Maven.
```
build-tools/bin/run_tests.sh Log4jHotPatch.jar <JDK_ROOT>
```

## Known issues

If you get an error like:
```
Exception in thread "main" com.sun.tools.attach.AttachNotSupportedException: The VM does not support the attach mechanism
	at jdk.attach/sun.tools.attach.HotSpotAttachProvider.testAttachable(HotSpotAttachProvider.java:153)
	at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
	at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
	at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:115)
	at Log4jHotPatch.main(Log4jHotPatch.java:139)
```
this means that your JVM is refusing any kind of help because it is running with `-XX:+DisableAttachMechanism`.

If you get an error like:
```
com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: target process not responding or HotSpot VM not loaded
	at sun.tools.attach.LinuxVirtualMachine.<init>(LinuxVirtualMachine.java:106)
	at sun.tools.attach.LinuxAttachProvider.attachVirtualMachine(LinuxAttachProvider.java:63)
	at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:208)
	at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:182)
	at Log4jHotPatch.main(Log4jHotPatch.java:259)
```
this means you're running as a different user (including root) than the target JVM. JDK 8 can't handle patching as root user (and triggers a thread dump in the target JVM which is harmless). In JDK 11 patching a non-root process from a root process works just fine. 

If you get an error like this in the target process:
```
Exception in thread "Attach Listener" java.lang.ExceptionInInitializerError
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
        at sun.instrument.InstrumentationImpl.loadClassAndCallAgentmain(InstrumentationImpl.java:411)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "log4jFixerAgentVersion" "write")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:886)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.System.setProperty(System.java:794)
        at Log4jHotPatch.<clinit>(Log4jHotPatch.java:66)
```
it means the target process has a security manager installed. Look for this command line option in the target process:
```
-Djava.security.policy=/local/apollo/.../apollo-security.policy
```
If you encounter this error, make sure you are using the latest version of the tool

**Important:** If you attempted to patch as the wrong user, you may need to delete `.attach_pid<pid>` files (found in `/tmp` and/or the CWD of the VM process) before trying again. These files need to have the right ownership for attach to succeed.
File Snapshot

 [4.0K]  /data/pocs/5610b2e1b6ebe4db440abad08eca4bfcd6cb0e2d
├── [ 845]  build.gradle
├── [4.0K]  build-tools
│   └── [4.0K]  bin
│       └── [5.8K]  run_tests.sh
├── [3.8K]  CHANGELOG.md
├── [ 309]  CODE_OF_CONDUCT.md
├── [3.1K]  CONTRIBUTING.md
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 200]  gradle-wrapper.properties
├── [5.6K]  gradlew
├── [2.7K]  gradlew.bat
├── [ 592]  LICENSE
├── [  67]  NOTICE
├── [4.8K]  pom.xml
├── [4.5K]  README.md
├── [  51]  settings.gradle
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  java
│       │   ├── [4.0K]  com
│       │   │   └── [4.0K]  amazon
│       │   │       └── [4.0K]  corretto
│       │   │           └── [4.0K]  hotpatch
│       │   │               └── [4.0K]  org
│       │   │                   └── [4.0K]  objectweb
│       │   │                       └── [4.0K]  asm
│       │   │                           ├── [6.2K]  AnnotationVisitor.java
│       │   │                           ├── [ 27K]  AnnotationWriter.java
│       │   │                           ├── [ 16K]  Attribute.java
│       │   │                           ├── [ 13K]  ByteVector.java
│       │   │                           ├── [167K]  ClassReader.java
│       │   │                           ├── [2.8K]  ClassTooLargeException.java
│       │   │                           ├── [ 16K]  ClassVisitor.java
│       │   │                           ├── [ 44K]  ClassWriter.java
│       │   │                           ├── [6.1K]  ConstantDynamic.java
│       │   │                           ├── [ 10K]  Constants.java
│       │   │                           ├── [5.5K]  Context.java
│       │   │                           ├── [2.6K]  CurrentFrame.java
│       │   │                           ├── [3.9K]  Edge.java
│       │   │                           ├── [5.7K]  FieldVisitor.java
│       │   │                           ├── [ 11K]  FieldWriter.java
│       │   │                           ├── [ 57K]  Frame.java
│       │   │                           ├── [7.1K]  Handle.java
│       │   │                           ├── [8.1K]  Handler.java
│       │   │                           ├── [ 30K]  Label.java
│       │   │                           ├── [3.4K]  MethodTooLargeException.java
│       │   │                           ├── [ 35K]  MethodVisitor.java
│       │   │                           ├── [ 99K]  MethodWriter.java
│       │   │                           ├── [6.6K]  ModuleVisitor.java
│       │   │                           ├── [9.4K]  ModuleWriter.java
│       │   │                           ├── [ 20K]  Opcodes.java
│       │   │                           ├── [3.9K]  package.html
│       │   │                           ├── [6.0K]  RecordComponentVisitor.java
│       │   │                           ├── [9.1K]  RecordComponentWriter.java
│       │   │                           ├── [4.0K]  signature
│       │   │                           │   ├── [1.8K]  package.html
│       │   │                           │   ├── [ 12K]  SignatureReader.java
│       │   │                           │   ├── [7.0K]  SignatureVisitor.java
│       │   │                           │   └── [7.8K]  SignatureWriter.java
│       │   │                           ├── [ 10K]  Symbol.java
│       │   │                           ├── [ 54K]  SymbolTable.java
│       │   │                           ├── [ 32K]  Type.java
│       │   │                           ├── [7.6K]  TypePath.java
│       │   │                           └── [ 17K]  TypeReference.java
│       │   ├── [ 711]  Log4jHotPatch17.java
│       │   └── [ 10K]  Log4jHotPatch.java
│       └── [4.0K]  resources
│           └── [ 242]  MANIFEST.MF
├── [4.0K]  test
│   ├── [270K]  log4j-api-2.12.1.jar
│   ├── [1.6M]  log4j-core-2.12.1.jar
│   ├── [  79]  security.policy
│   └── [2.2K]  Vuln.java
├── [1.6K]  THIRD_PARTY_LICENSE.md
└── [   6]  version.txt

17 directories, 60 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.