From bd47385a6628ea93a7e76fcbda7df1c51dffa1f7 Mon Sep 17 00:00:00 2001
From: Andreas Dann <adann@mail.uni-paderborn.de>
Date: Wed, 15 Dec 2021 14:51:16 +0100
Subject: [PATCH 1/3] add process check

---
 README.md                                     |   7 +
 pom.xml                                       | 238 +++++++++---------
 .../log4jshell/Log4JProcessDetector.java      |  62 +++++
 3 files changed, 191 insertions(+), 116 deletions(-)
 create mode 100644 src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java

diff --git a/README.md b/README.md
index 49dd780..050b733 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,13 @@ CVE-2021-44228 found declared as dependency in META-INF/maven/org.apache.logging
 CVE-2021-44228 found in class file org/apache/logging/log4j/core/net/JndiManager$1.class
 ```
 
+## How to run this tool on a live server (no need to stop your running Java instances)
+
+1. Download the [jar file](https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector/releases/download/v0.5/Log4JDetector-0.5-jar-with-dependencies.jar) under releases.
+2. Run `java -cp <PATH_TO_DOWNLOADED_JAR> de.codeshield.log4jshell.Log4JProcessDetector`
+3. The jar searches the classpath of all running java processes for vulnerable log4j instances
+
+
 ## Background on CVE-2021-44228
 A serious Remote Code Execution vulnerability has been discovered within log4j and version 2.0-beta9 to 2.14 are affected. The vulnerability has been classified as critical, as it affected log4j one of the most used logging libraries for Java. There are many references and article out there.
 
diff --git a/pom.xml b/pom.xml
index 49e01a2..7bf7738 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,126 +1,132 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <modelVersion>4.0.0</modelVersion>
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
 
-  <groupId>de.codeshield.log4shell</groupId>
-  <artifactId>Log4JDetector</artifactId>
-  <version>0.4</version>
+    <groupId>de.codeshield.log4shell</groupId>
+    <artifactId>Log4JDetector</artifactId>
+    <version>0.4</version>
 
-  <name>cve-2021-44228-detector</name>
-  <url>https://codeshield.io</url>
+    <name>cve-2021-44228-detector</name>
+    <url>https://codeshield.io</url>
 
-  <properties>
-    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <maven.compiler.source>1.7</maven.compiler.source>
-    <maven.compiler.target>1.7</maven.compiler.target>
-  </properties>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
 
-  <dependencies>
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>4.13.1</version>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.maven</groupId>
-      <artifactId>maven-model</artifactId>
-      <version>3.8.4</version>
-    </dependency>
-    <dependency>
-      <groupId>commons-io</groupId>
-      <artifactId>commons-io</artifactId>
-      <version>2.11.0</version>
-    </dependency>
-    <!-- https://mvnrepository.com/artifact/org.apache.maven/maven-project -->
-    <dependency>
-      <groupId>org.apache.maven</groupId>
-      <artifactId>maven-project</artifactId>
-      <version>2.2.1</version>
-    </dependency>
-    <!-- https://mvnrepository.com/artifact/commons-codec/commons-codec -->
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-      <version>1.15</version>
-    </dependency>
+    <dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.13.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.maven</groupId>
+            <artifactId>maven-model</artifactId>
+            <version>3.8.4</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.11.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.maven/maven-project -->
+        <dependency>
+            <groupId>org.apache.maven</groupId>
+            <artifactId>maven-project</artifactId>
+            <version>2.2.1</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/commons-codec/commons-codec -->
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.15</version>
+        </dependency>
 
-    <dependency>
-      <groupId>com.opencsv</groupId>
-      <artifactId>opencsv</artifactId>
-      <version>5.5.2</version>
-    </dependency>
-  </dependencies>
+        <dependency>
+            <groupId>com.opencsv</groupId>
+            <artifactId>opencsv</artifactId>
+            <version>5.5.2</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
 
-  <build>
-    <plugins>
-      <plugin>
-        <artifactId>maven-assembly-plugin</artifactId>
-        <configuration>
-          <archive>
-            <manifest>
-              <mainClass>de.codeshield.log4jshell.Log4JDetector</mainClass>
-            </manifest>
-          </archive>
-          <descriptorRefs>
-            <descriptorRef>jar-with-dependencies</descriptorRef>
-          </descriptorRefs>
-        </configuration>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-compiler-plugin</artifactId>
-        <configuration>
-          <source>8</source>
-          <target>8</target>
-        </configuration>
-      </plugin>
-    </plugins>
-    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
-      <plugins>
-        <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
-        <plugin>
-          <artifactId>maven-clean-plugin</artifactId>
-          <version>3.1.0</version>
-        </plugin>
-        <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
-        <plugin>
-          <artifactId>maven-resources-plugin</artifactId>
-          <version>3.0.2</version>
-        </plugin>
-        <plugin>
-          <artifactId>maven-compiler-plugin</artifactId>
-          <version>3.8.0</version>
-        </plugin>
-        <plugin>
-          <artifactId>maven-surefire-plugin</artifactId>
-          <version>2.22.1</version>
-        </plugin>
-        <plugin>
-          <artifactId>maven-jar-plugin</artifactId>
-          <version>3.0.2</version>
-        </plugin>
-        <plugin>
-          <artifactId>maven-install-plugin</artifactId>
-          <version>2.5.2</version>
-        </plugin>
-        <plugin>
-          <artifactId>maven-deploy-plugin</artifactId>
-          <version>2.8.2</version>
-        </plugin>
-        <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
-        <plugin>
-          <artifactId>maven-site-plugin</artifactId>
-          <version>3.7.1</version>
-        </plugin>
-        <plugin>
-          <artifactId>maven-project-info-reports-plugin</artifactId>
-          <version>3.0.0</version>
-        </plugin>
-      </plugins>
-    </pluginManagement>
-  </build>
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>de.codeshield.log4jshell.Log4JDetector</mainClass>
+                        </manifest>
+                    </archive>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>8</source>
+                    <target>8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+        <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+            <plugins>
+                <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+                <plugin>
+                    <artifactId>maven-clean-plugin</artifactId>
+                    <version>3.1.0</version>
+                </plugin>
+                <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+                <plugin>
+                    <artifactId>maven-resources-plugin</artifactId>
+                    <version>3.0.2</version>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-compiler-plugin</artifactId>
+                    <version>3.8.0</version>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-surefire-plugin</artifactId>
+                    <version>2.22.1</version>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-jar-plugin</artifactId>
+                    <version>3.0.2</version>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-install-plugin</artifactId>
+                    <version>2.5.2</version>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-deploy-plugin</artifactId>
+                    <version>2.8.2</version>
+                </plugin>
+                <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+                <plugin>
+                    <artifactId>maven-site-plugin</artifactId>
+                    <version>3.7.1</version>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-project-info-reports-plugin</artifactId>
+                    <version>3.0.0</version>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+    </build>
 </project>
diff --git a/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java b/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
new file mode 100644
index 0000000..6ba11ee
--- /dev/null
+++ b/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
@@ -0,0 +1,62 @@
+package de.codeshield.log4jshell;
+
+import org.apache.commons.lang.StringUtils;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class Log4JProcessDetector {
+
+  public static void main(String[] args) throws IOException {
+
+    // grep process (works on mac and linux)
+    List<String> commands = new ArrayList<String>();
+    commands.add("/bin/sh");
+    commands.add("-c");
+    commands.add("ps -ef | grep java");
+
+    Process process = new ProcessBuilder(commands).start();
+    BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
+    StringBuilder builder = new StringBuilder();
+    List<String> lines = new ArrayList<>();
+    String line = null;
+    while ((line = reader.readLine()) != null) {
+      lines.add(line);
+    }
+    String result = builder.toString();
+
+    // analyze each output
+    // search for the "-classpath" parameter
+    for (String outputLine : lines) {
+      final String searchStr = "-classpath";
+      final int i = StringUtils.indexOf(outputLine, searchStr);
+      if (i > 0) {
+        String cpArgs = outputLine.substring(i + searchStr.length() + 1);
+
+        // scan for jar files
+        String[] cpArgsSplit = cpArgs.split(File.pathSeparator + "");
+        final List<String> foundJarsOnCp =
+            Arrays.stream(cpArgsSplit)
+                .map(x -> StringUtils.substring(x, 0, StringUtils.indexOf(x, ".jar") + 4))
+                .collect(Collectors.toList());
+
+        for (String jarFile : foundJarsOnCp) {
+          Log4JDetector detector = new Log4JDetector();
+          detector.run(args[0]);
+        }
+
+      } else {
+        // no classpath arg found
+        continue;
+      }
+    }
+
+    System.out.println(result);
+  }
+}

From a88d302fdb17b8ccdd3370ef3aecad3051394798 Mon Sep 17 00:00:00 2001
From: Andreas Dann <adann@mail.uni-paderborn.de>
Date: Wed, 15 Dec 2021 14:56:11 +0100
Subject: [PATCH 2/3] add -cp as argument

---
 .../de/codeshield/log4jshell/Log4JProcessDetector.java | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java b/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
index 6ba11ee..780b08a 100644
--- a/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
+++ b/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
@@ -34,8 +34,14 @@ public static void main(String[] args) throws IOException {
     // analyze each output
     // search for the "-classpath" parameter
     for (String outputLine : lines) {
-      final String searchStr = "-classpath";
-      final int i = StringUtils.indexOf(outputLine, searchStr);
+      String searchStr = "-classpath";
+      int i = StringUtils.indexOf(outputLine, searchStr);
+      if (i == -1) {
+        // check if someone used -cp
+        searchStr = "-cp";
+        i = StringUtils.indexOf(outputLine, searchStr);
+      }
+
       if (i > 0) {
         String cpArgs = outputLine.substring(i + searchStr.length() + 1);
 

From 7a3558086444fb95c142c5c7d14708c17c7136b9 Mon Sep 17 00:00:00 2001
From: Johannes Spaeth <johannes.spaeth@codeshield.de>
Date: Wed, 15 Dec 2021 15:07:06 +0100
Subject: [PATCH 3/3] Adding output

---
 .../codeshield/log4jshell/Log4JProcessDetector.java   | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java b/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
index 780b08a..ddce695 100644
--- a/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
+++ b/src/main/java/de/codeshield/log4jshell/Log4JProcessDetector.java
@@ -46,15 +46,20 @@ public static void main(String[] args) throws IOException {
         String cpArgs = outputLine.substring(i + searchStr.length() + 1);
 
         // scan for jar files
-        String[] cpArgsSplit = cpArgs.split(File.pathSeparator + "");
+        String[] cpArgsSplit = cpArgs.split(File.pathSeparator);
         final List<String> foundJarsOnCp =
             Arrays.stream(cpArgsSplit)
                 .map(x -> StringUtils.substring(x, 0, StringUtils.indexOf(x, ".jar") + 4))
                 .collect(Collectors.toList());
 
         for (String jarFile : foundJarsOnCp) {
-          Log4JDetector detector = new Log4JDetector();
-          detector.run(args[0]);
+          try {
+            Log4JDetector detector = new Log4JDetector();
+            System.out.println("Scanning jar file " + jarFile);
+           // detector.run(jarFile);
+          } catch (Exception e){
+            System.out.println("Could not scan jar file " + jarFile);
+          }
         }
 
       } else {