JNDI and LDAP: Concepts Induced by Log4j Injection Vulnerability

Internet 2022-03-28 11:19:53 views: null

Hello everyone, some time ago, a vulnerability information released by the official website of Log4j caused an uproar in the industry. Presumably many programmers were like me at that time - working overtime to upgrade the system overnight.

After the incident, I began to seriously study the causes of the Log4j remote code injection vulnerability. Among them, I encountered the concepts of JNDI and LDAP. It took a while to summarize:

1、JNDI

To put it simply, JNDI (Java Naming and Directory Interface) is a standard Java naming system interface provided by SUN. It provides a unified general interface for developers to find and access various resources, which can be used to locate users, Various resources such as networks, machines, objects, and services. NDI provides a unified client API, through the implementation of different service provisioning interfaces (SPI), the manager maps the JNDI API to a specific naming service and directory system, so that Java applications can communicate with these naming services and directory services. interact.

The bottom layer of JNDI supports RMI remote objects, and the services registered by RMI can be accessed and invoked through the JNDI interface. 

JNDI supports a variety of naming and directory providers (Naming and Directory Providers), the RMI Registry Service Provider (RMI Registry Service Provider) allows access operations to remote objects registered in RMI through the JNDI application interface. One of the benefits of binding an RMI service to JNDI is that it is more transparent, unified, and loosely coupled. The RMI client can locate a remote object directly through the URL, and the RMI service can be linked to an enterprise directory containing information such as people, organizations, and network resources. together. 

The above mentioned naming services and directory services, what are they?

1.1 Naming Services

The naming service is a simple key-value pair binding, and the value can be retrieved by the key name. RMI is a typical naming service

1.1 Directory Services

Directory services are an extension of naming services. The difference between it and the naming service is that it can retrieve objects through object properties, which may not be easy to understand. Let's take an example: For example, if you want to find someone in a certain school, you will pass: grade -> class ->Name is used to search, grade, class, and name are attributes of a person. This hierarchical relationship is very similar to a directory relationship, so this way of storing objects is called directory service. LDAP is a typical directory service, which we haven't touched yet, which will be mentioned later

In fact, if you think about it carefully, you will feel that the essence of naming service and directory service is the same. They both use keys to find objects, but the keys of directory services are more flexible and more complicated.

At the beginning, many people will be confused by the words jndi and rmi, and many articles mention that you can use jndi to call rmi, which makes people more dizzy. We only need to know that jndi repackages the logic of various access directory services, that is, the code that we have to write to access rmi and ldap is very different in the past, but with the jndi layer, we can use the jndi method to write Easily access rmi or ldap services, so that the code implementation of accessing different services is basically the same.

A picture is worth a thousand words:
insert image description here

It can be seen from the figure that jndi only passed a key foo when accessing rmi, and then the rmi server returned an object to access a directory service room such as ldap. The passed string is more complex and contains multiple key values. Yes, these key-value pairs are the attributes of the object, and LDAP will determine which object to return based on these attributes. 

1.3 JNDI injection

When the JNDI interface is initialized, the RMI URL can be passed in as a parameter, and JNDI injection occurs in the client's lookup() function. If the parameters of the lookup() are controllable, it may be attacked.

 Note: InitialContext is a class that implements the Context interface. Use this class as the entry point for the JNDI naming service. To create an InitialContext object, you need to pass in a set of properties, and the parameter type is java.util.Hashtable or one of its subclasses. 

2、LDAP

LDAP (Light Directory Access Portocol), which is a lightweight directory access protocol based on the X.500 standard. A directory is a database optimized for querying, browsing, and searching that organizes data in a tree-like structure, similar to a directory of files. Unlike relational databases, catalog databases have excellent read performance, but poor write performance, and do not have complex functions such as transaction processing and rollback, so they are not suitable for storing frequently modified data. So a directory is inherently meant to be queried, just like its name.

LDAP directory service is a system consisting of a directory database and a set of access protocols.

It is not difficult to see from the above definition that LDAP is a directory, so how does the directory appear and what is the use?

In today's information world, the Internet provides people with abundant resources. With the increasing abundance of network resources, there is an urgent need for a service technology that can effectively manage resource information and facilitate retrieval and query. Directory service technology followed.

  1. LDAP directory service can effectively solve the user account problem of many network services.
  2. LDAP directory service specifies a unified identity information database, identity authentication mechanism and interface, realizes unified management of resources and information, and ensures the consistency and integrity of data.
  3. LDAP directory service describes data information in a tree-like hierarchical structure, and this model adapts to the business organization structure of many industry applications.

2.1 LDAP role

The main function of LDAP is to ensure the security of user accounts. The LDAP directory can be accessed on any computer platform with a readily available and growing number of LDAP client programs. LDAP servers are simple to install and easy to maintain and optimize.

2.2 LDAP server

The LDAP server is also used to process queries and update the LDAP directory. In other words, an LDAP directory is also a type of database, but not a relational database. Unlike databases that are designed to process hundreds of thousands of data changes per minute, such as online transaction processing (OLTP) systems often used in e-commerce, LDAP is primarily designed to optimize data read performance.

The biggest advantage of LDAP is that the LDAP directory can be accessed on any computer platform with a readily available and growing number of LDAP client programs. And it's easy to customize the application to add LDAP support to it.

Guess you like

Origin blog.csdn.net/weixin_44259720/article/details/122092850
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com