2022-01-12 16:59:38 +08:00
|
|
|
---
|
|
|
|
title: "Log4Shell"
|
|
|
|
date: 2022-01-12T14:07:23+05:30
|
|
|
|
draft: false
|
|
|
|
tags: ["exploit", "linux", "windows"]
|
|
|
|
---
|
|
|
|
|
2022-01-13 22:40:59 +08:00
|
|
|
The Log4Shell exploiter exploits
|
|
|
|
[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
|
2022-01-12 16:59:38 +08:00
|
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
|
2022-01-13 22:40:59 +08:00
|
|
|
Some versions of Apache Log4j, a Java logging framework, have a logging feature
|
|
|
|
called "Message Lookup Substitution" enabled by default. This allows replacing
|
|
|
|
certain special strings by dynamically-generated strings at the time of
|
|
|
|
logging. If log messages or log message parameters can be controlled by an
|
|
|
|
attacker, arbitrary code can be executed. The Log4Shell exploiter takes
|
|
|
|
advantage of this vulnerability to propagate to a victim machine.
|
2022-01-12 16:59:38 +08:00
|
|
|
|
2022-01-13 22:40:59 +08:00
|
|
|
You can learn more about this vulnerability and potential mitigations
|
|
|
|
[here](https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0_.28Java_8.29).
|
2022-01-12 16:59:38 +08:00
|
|
|
|
|
|
|
|
|
|
|
### Services exploited
|
|
|
|
|
2022-01-13 22:40:59 +08:00
|
|
|
The Infection Monkey will attempt to exploit the Log4Shell vulnerability in the
|
|
|
|
following services:
|
2022-01-12 16:59:38 +08:00
|
|
|
|
|
|
|
- Apache Solr
|
|
|
|
- Apache Tomcat
|
|
|
|
- Logstash
|
2022-01-13 22:40:59 +08:00
|
|
|
|
|
|
|
**Note**: Even if none of these services are running in your environment,
|
|
|
|
running the Log4Shell exploiter can be a good way to test your IDS/IPS or EDR
|
|
|
|
solutions. These solutions should detect that the Infection Monkey is attempting
|
|
|
|
to exploit the Log4Shell vulnerability and raise an appropriate alert.
|