guardicore
log4shell tomcat exploiter doesn't work
Describe the bug
I have tried log4shell tomcat exploiter many times in many versions of tomcat 8( tomcat:8.0.36-jre8 for example), but none does work. The post for url examples/servlets/servlet/SessionExample hadn't any reaction related to log4shell. It neither connected to ldap nor did a get request to http class server.
Is there any guys with kindness who could tell me some information about it?
Thanks a log.
Machine version (please complete the following information):
- OS: Linux
Sorry for the delay, join our slack to get answers faster. We use Apache Tomcat 8.0.36 for tests. You also need to make sure you're running a vulnerable version of java. Have you made manual tests to make sure it's vulnerable?
Here's a tutorial
Apache Tomcat due to its nature to not use specific library for logging is not vulnerable to log4shell exploit, but a lot of people decides to use log4j as logging library for Apache Tomcat service. For this purpose I have set up Apache Tomcat with log4j2. The version used are: Apache Tomcat 8.0.36 Apache Log4j 2.10.0 JDK 1.8u181 Setting Apache Tomcat:
- Download ( or use the apache tomcat provided) Apache Tomcat from https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.tar.gz
- Extract the archive under /usr/local/tomcat
- In order to run it we use /usr/local/tomcat/catalina.sh run ( console run ) Apache Tomcat requires JAVA_HOME to be set to JDK 1.8u181. Setting Apache Log4j on Tomcat:
- Download Log4j ( or use the one provided ) from https://archive.apache.org/dist/logging/log4j/2.10.0/apache-log4j-2.10.0-bin.tar.gz
- Extract the archive
- Download two extras jar file which are needed in order for Apache Tomcat to detect Log4j:
- https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/extras/tomcat-juli-adapters.jar
- https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/extras/tomcat-juli.jar
- From Log4j archive we need: log4j-1.2-api-2.10.0.jar, log4j-api-2.10.0.jar, log4j-appserver-2.10.0.jar and log4j-core-2.10.0.jar. Put this JAR into /usr/local/tomcat/lib directory
- Create log4j2.xml under /user/local/tomcat/lib and put this content inside:
<?xml version="1.0" encoding="utf-8"?>
<Configuration status="info">
<Properties>
<Property name="logdir">${sys:catalina.base}/logs</Property>
<Property name="layout">%d [%t] %-5p %c- %m%n</Property>
</Properties>
<Appenders>
<Console name="CONSOLE" target="SYSTEM_OUT">
<PatternLayout pattern="${layout}"/>
</Console>
<RollingFile name="CATALINA"
fileName="${logdir}/catalina.log"
filePattern="${logdir}/catalina.%d{yyyy-MM-dd}.log.gz">
<PatternLayout pattern="${layout}"/>
<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
<DefaultRolloverStrategy>
<Delete basePath="${logdir}" maxDepth="1">
<IfFileName glob="catalina.*.log.gz" />
<IfAccumulatedFileCount exceeds="10" />
</Delete>
</DefaultRolloverStrategy>
</RollingFile>
<RollingFile name="LOCALHOST"
fileName="${logdir}/localhost.log"
filePattern="${logdir}/localhost.%d{yyyy-MM-dd}.log.gz">
<PatternLayout pattern="${layout}"/>
<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
<DefaultRolloverStrategy>
<Delete basePath="${logdir}" maxDepth="1">
<IfFileName glob="localhost.*.log.gz" />
<IfAccumulatedFileCount exceeds="10" />
</Delete>
</DefaultRolloverStrategy>
</RollingFile>
<RollingFile name="MANAGER"
fileName="${logdir}/manager.log"
filePattern="${logdir}/manager.%d{yyyy-MM-dd}.log.gz">
<PatternLayout pattern="${layout}"/>
<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
<DefaultRolloverStrategy>
<Delete basePath="${logdir}" maxDepth="1">
<IfFileName glob="manager.*.log.gz" />
<IfAccumulatedFileCount exceeds="10" />
</Delete>
</DefaultRolloverStrategy>
</RollingFile>
<RollingFile name="HOST-MANAGER"
fileName="${logdir}/host-manager.log"
filePattern="${logdir}/host-manager.%d{yyyy-MM-dd}.log.gz">
<PatternLayout pattern="${layout}"/>
<CronTriggeringPolicy schedule="0 0 0 * * ?"/>
<DefaultRolloverStrategy>
<Delete basePath="${logdir}" maxDepth="1">
<IfFileName glob="host-manager.*.log.gz" />
<IfAccumulatedFileCount exceeds="10" />
</Delete>
</DefaultRolloverStrategy>
</RollingFile>
</Appenders>
<Loggers>
<Root level="info">
<AppenderRef ref="CATALINA"/>
</Root>
<Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost]"
level="all"
additivity="false">
<AppenderRef ref="LOCALHOST"/>
</Logger>
<Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]"
level="all"
additivity="false">
<AppenderRef ref="MANAGER"/>
</Logger>
<Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager]"
level="all"
additivity="false">
<AppenderRef ref="HOST-MANAGER"/>
</Logger>
</Loggers>
</Configuration>
This XML defines log4j2 properties. You can define which log level are going to be used from Apache Tomcat 6. Copy tomcat-juli-adapters.jar into /usr/local/tomcat/lib 7. Copy tomcat-juli.jar into /usr/local/tomcat/bin. This will replace the already existing tomcat-juli.jar with the one which will detect log4j. 8. Start tomcat using ./catalina.sh run 9. Logs are under /usr/local/tomcat/logs For more read on: https://tomcat.apache.org/tomcat-8.0-doc/logging.html log4j2.xml https://gist.github.com/bmaupin/475a0cd6e8b374d876f5085846761fb6
