/log4shell-detector

A log4shell detector using ProGuardCORE

Primary LanguageKotlinApache License 2.0Apache-2.0

Log4Shell detector

Yet another log4shell detector, similar to log4jscanner, log4j-detector etc but built with ProGuardCORE.

It detects the usage of log4j versions vulnerable to CVE-2021-44228.

For more information about the vulnerability see CVE-2021-44228 and Apache Log4j Security Vulnerabilities.

Executing

You can download the release distribution, extract and run the shell/bat script. The input can be a jar file, class file, directory, Android aar or Android apk.

$ bin/log4shell-detector <path-to-jar>

Or you can clone this repository and execute via Gradle:

$ ./gradlew run --args=/path/to/my.jar

Building

The application can be built from source via Gradle:

$ ./gradlew build

This will generate distribution archives in the build/distributions directory.

How does it work?

The detector looks for a specific constructor that appears in log4j < 2.15.0, similar to this Yara rule.

ProGuardCORE is used to parse the input, and a combination of class and member filters are used to look for the specific constructor.

dex2jar is used to convert dex files in Android APKs files to class files.

Shadow packed log4j

Shadow packed versions of log4j should be detected, for example if the log4j package is renamed to com/example/org/apache/logging/log4j.

Obfuscated applications

If an application is obfuscated then the detector may not detect the vulnerability, since it is name based.