Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/BinaryDefense/log4j-honeypot-flask
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228
Readme
# log4j-honeypot-flask
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

This can be installed on a workstation or server, either by running the Python app/app.py script directly (you'll need python3, Flask, and Requests) or as a Docker container.

You will need to set some environment variables (or hard-code them into the script):
WEBHOOK_URL=your Teams, Slack or Mattermost webhook URL to receive notifications
HONEYPOT_NAME=unique name for this honeypot so you know where the alerts came from
HONEYPOT_PORT=8080 or whatever port you want it to listen on

Important Note: This is a LOW-INTERACTION honeypot meant for internal active defense. It is not supposed to be vulnerable or let attackers get into anything.

All it does is watch for suspicious string patterns in the requests (form fields and HTTP headers) and alert you if anything weird comes through by sending a message 
on Teams or Slack.

# Example running via Docker:

```
docker build -t log4j-honeypot-flask:latest .

docker run -d -p 8080:8080 -e WEBHOOK_URL=https://yourwebhookurl -e HONEYPOT_NAME=dmz_log4j_hp log4j-honeypot-flask
```

# Example running via command line:

```
export WEBHOOK_URL=https://yourwebhookurl

export HONEYPOT_NAME=LittleBobbyJNDI

export HONEYPOT_PORT=8081

python3 app/app.py
```
File Snapshot

 [4.0K]  /data/pocs/19d019db971c0b60a7eb5f1a634c41aaa0504ff3
├── [4.0K]  app
│   └── [3.6K]  app.py
├── [  55]  boot.sh
├── [ 527]  Dockerfile
├── [1.3K]  README.md
└── [  29]  requirements.txt

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →