Exploit for Uncontrolled Resource Consumption in Apache Log4J

Name: Exploit for Uncontrolled Resource Consumption in Apache Log4J
Rating: 5 (276 reviews)
2021-12-15 | CVSS 8.9
## https://sploitus.com/exploit?id=9327CBCC-5FA0-5155-9C98-3F1488EF2F57
# Log4Shell Honeypot

Dockerized honeypot for [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) based on Alpine, written in Python/Flask.

[![Snyk Container](https://github.com/michaelsanford/Log4Shell-Honeypot/actions/workflows/snyk-container-analysis.yml/badge.svg)](https://github.com/michaelsanford/Log4Shell-Honeypot/actions/workflows/snyk-container-analysis.yml)
[![CodeQL](https://github.com/michaelsanford/Log4Shell-Honeypot/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/michaelsanford/Log4Shell-Honeypot/actions/workflows/codeql-analysis.yml)
[![Pylint](https://github.com/michaelsanford/Log4Shell-Honeypot/actions/workflows/pylint.yml/badge.svg)](https://github.com/michaelsanford/Log4Shell-Honeypot/actions/workflows/pylint.yml)

## Detection Rule

The container responds with a plain login form.

Any request will be inspected for `${` (headers and body).

This triggers a critical-level log with the entire request (as a dict with tuples, which is JSON-ish).

## Event log

The event log will look like this (but as a single line):

```yaml
CRITICAL:<HONEYPOT_NAME>:{
  'honeypot': '<HONEYPOT_NAME>', 
  'source': '172.17.0.1',
  'headers': EnvironHeaders([
    ('Host', 'localhost:8080'),
    ('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0'),
    ('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'),
    ('Accept-Language', 'en-CA,fr-CA;q=0.5'),
    ('Accept-Encoding', 'gzip, deflate'),
    ('Content-Type', 'application/x-www-form-urlencoded'),
    ('Content-Length', '45'), 
    ('Origin', 'http://localhost:8080'),
    ('Connection', 'keep-alive'), 
    ('Referer', 'http://localhost:8080/'), 
    ('Upgrade-Insecure-Requests', '1'), 
    ('Sec-Fetch-Dest', 'document'), 
    ('Sec-Fetch-Mode', 'navigate'), 
    ('Sec-Fetch-Site', 'same-origin'), 
    ('Sec-Fetch-User', '?1')
  ]),
  'body': [
    ('username', '${'), 
    ('password', ''), 
    ('submit', 'Submit Query')
  ]}
```

## Docker Quickstart

```shell
# x86_64
docker run -d -p 8080:8080 -e HONEYPOT_NAME="log4shell-honeypot" --name="log4shell-honeypot" msanford/log4shell-honeypot:latest

# ARM (e.g., Raspberry Pi)
docker run -d -p 8080:8080 -e HONEYPOT_NAME="log4shell-honeypot" --name="log4shell-honeypot" msanford/log4shell-honeypot:arm-latest
```

A `docker-compose.yml` fragment is also provided.

### Build

```shell
docker build -t log4shell-honeypot:latest .
```


# Acknowledgements

This is a modified fork of [BinaryDefense/log4shell-honeypot-flask](https://github.com/BinaryDefense/log4shell-honeypot-flask) 👏🏼.