Log4j Notes - richnadeau/Secure-Web-Application-CTF-Nadeau-Notter GitHub Wiki

Log4j

Information

What it is

Apache’s Log4j software library used to log security and performance information.

The Exploit

Exploitation of Remote Code Execution (RCE) in versions 2.0-beta9 to 2.14.1. CVE-2021-44228 "JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled." (JNDI = Java Naming and Directory Interface)

The Fix

Upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6). Review https://logging.apache.org/log4j/2.x/security.html for mitigation and more information.

CTF Scenario Ideas

Install outdated version of log4j (versions 2.0-beta9 to 2.14.1.) on web server with exposed port
- Sample website can be found here: https://github.com/cyberxml/log4j-poc
Avenue of attack
- Netcat Listener
- Malicious LDAP/Web Server
- Exploit code
- Execute

Work Cited

Apache Log4j Vulnerability Guidance - Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance. Accessed 22 Jan. 2022.
Log4j: How to Exploit and Test this Critical Vulnerability - Raxis.com. https://raxis.com/blog/log4j-exploit. Accessed 22 Jan. 2022.