log4shell-analysis
log4shell-analysis copied to clipboard
righettod
Contains all my research and content produced regarding the log4shell vulnerability
Objective
Contains all my research and content produced regarding the log4shell vulnerability.
Content
Folder "analysis"
Contain the information that I gather about the vulnerability, affected versions, exploitation context/requirements, remediation plan proposal and so on...
This content is created using Joplin and then exported as markdown to the analysis folder.
➡️ Access to the content.
💡 Use the TOC feature of Github the navigate in the content (icon on top left):
Folder "payloads"
Contain a collection of log4shell payloads seen on my twitter feeds.
The goal is to allows testing detection regexes defined in protection systems against payloads effectively used.
➡️ Access to the content.
Folder "playground"
Contains sample java files used to test my scripts.
Precisely, contains log4j-core instances of the library including ones hidden in WAR/EAR archives as well as nested jars.
The 6 files are named from AAlog4j... to FFlog4j... to faciliate the review of the test results.
Folder "sandbox"
Contains a maven project used to perform testing with the log4j2 library as well as working on protection/detection technical material, like unit test cases.
It is a IntelliJ IDEA project.
Folder "scripts"
💡 For Windows target: You can use the bash provided by Git portable for Windows to run all the scripts.
Contains utility script provided to help addressing this vulnerability.
- identify-log4j-class-location.sh: Bash script to identify Log4J affected class for CVE-2021-44228 in a collection of EAR/WAR/JAR files.
$ bash identify-log4j-class-location.sh ../playground/
[+] Searching class 'org/apache/logging/log4j/core/lookup/JndiLookup.class' across '../playground/' folder...
[*] Inspecting file: BBlog4j - core - 2.14.1.jar
[!] Class found in the file '../playground/BBlog4j - core - 2.14.1.jar'.
[+] Try to find the Maven artefact version...
File : ../playground/BBlog4j - core - 2.14.1.jar
Metadata file : META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties
Log4J version : 2.14.1
[*] Inspecting file: dom4j-1.1.jar
...
[!] Inspection finished - Class found!
- identify-tcm-expressions-usage.sh: Bash script to identify code prone to CVE-2021-45046/CVE-2021-45105 in a collection of EAR/WAR/JAR files.
ℹ️ A release jar file of this java decompiler must be present in the current folder as well as java (JRE) in the $PATH.
$ bash identify-tcm-expressions-usage.sh ../playground/
[+] Include Log4J artefacts.
[+] Searching for Log4J2 Thread Context Map or Log4J2 Expressions usage across '../playground/' folder...
[*] Inspecting file: BBlog4j - core - 2.14.1.jar
[!] Usage of the Thread Context Map identified in decompiled sources of the jar file '../playground/BBlog4j - core - 2.14.1.jar':
/tmp/jarsrcwork/org/apache/logging/log4j/core/LogEvent.java:7:import org.apache.logging.log4j.ThreadContext;
/tmp/jarsrcwork/org/apache/logging/log4j/core/layout/AbstractJacksonLayout.java:19:import org.apache.logging.log4j.ThreadContext;
...
[!] Inspection finished - Usage found!
$ bash identify-tcm-expressions-usage.sh ../playground/ --ignore-log4j2-artefacts
[+] Exclude Log4J artefacts.
[+] Searching for Log4J2 Thread Context Map or Log4J2 Expressions usage across '../playground/' folder...
[V] Inspection finished - No usage found!
Folder "videos"
Contains videos of demonstrations and technical tests performed during the analysis.
Misc
A companion tool was developed alongside this analysis to help the defender side: log4shell-payload-grabber.
righettod