log4shell_header_injection bugfix to prevent .keys call on nil #17389
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
About
This PR includes a very simple fix for the
multi/http/log4shell_header_injection
exploit module to prevent it from performing.keys
onnil
in the scenario where log4shell was found via URIs instead of just headers.Details
I found the bug when I ran the exploit against a web server that had multiple log4shell vectors:
X-Forwarded-For
headerHowever, the module then crashed at the start of the
exploit
method because it tried to call.keys
onnil
on line 186:At that point
@checkcode&.details
looked like this:The problem occurred due to the use of the safe navigator
&.
for theempty?
call inside the reject block:This code initially looked fine to me, but for some reason this prevents items in
@checkcode.details
that do not have value for the:header
key from being removed from the Array. this means that after thereject
block finishes, the Array on which the.first
call is performed, is identical to the@checkcode.details
Array (since no items were removed), and the first item is then an item that has anil
value for the:headers
key:The fix
Fixing this issue is as simple as removing the safe navigator in the
reject
block and usingblank?
instead ofempty?
. This will prevent the module from breaking even when thereject
operation is performed on an empty Array:So instead of:
We can use
Proof:
How to replicate the issue
python3 -m http.server 80
@checkcode.details
in theexploit
method inlog4shell_header_injection.rb
to my example array:ForceExploit
to true and run the exploit to see it breaklog4shell_header_injection.rb
to change the following lineto