log4shell-detector icon indicating copy to clipboard operation
log4shell-detector copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

Add pattern '${base64:JHtqbmRp'

Open baonq-me opened this issue 3 years ago • 7 comments

I request to add pattern ${base64:JHtqbmRp which is evaluated to ${jndi. I think with the current algorithm, the detector can not detect these kind of patterns.

Ref https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml#L40

baonq-me avatar Dec 14 '21 07:12 baonq-me

Oh, yes - from my own rule ... thanks

Neo23x0 avatar Dec 14 '21 08:12 Neo23x0

Oh, no, it's already in there : https://github.com/Neo23x0/log4shell-detector/blob/main/log4shell-detector.py#L35

Neo23x0 avatar Dec 14 '21 08:12 Neo23x0

Can i suggest that instead of looking for the string outright... a more foolproof way to handle the base64 is to actually do the decode. Because the issue is you can base64 encode any subset of the URI and combine it with other chars. So to handle this you could find all of the ${base64:<FOO>} instances first, decode them, then run back through the detection.

JasonKeirstead avatar Dec 14 '21 13:12 JasonKeirstead

Could you explain why we would need more coverage with an example? Which use isn't covered by ${base64:JHtqbmRp?

Neo23x0 avatar Dec 14 '21 17:12 Neo23x0

You can do this as an example.. encode only "di"

${jn${base64:JZGk}://}

or this ... encode just the "d"

${jn${base64:ZA}i://}

or... any number of combinations of things that are part of the string

I have a PR #25 that adds the decoding

JasonKeirstead avatar Dec 14 '21 17:12 JasonKeirstead

Ah, I see - yes, good to cover that as well

Neo23x0 avatar Dec 14 '21 19:12 Neo23x0

FYI, base64 isn't actually in a release yet, just in master, so these payloads shouldn’t work unless the target has chosen to add the lookup themselves.

karanlyons avatar Dec 15 '21 18:12 karanlyons