You saying "just came out a few days ago" makes it sound like a fun new game just got released haha

@MalwareTechBlog

2 жыл бұрын

Yeah lol, I just realized that 😂

@techutility

2 жыл бұрын

🤣🤣🤣🤣🤣

@-bubby9633

2 жыл бұрын

Tbf for us security professionals this is basically like a new game was just released 😂

@dipankarmitra3334

2 жыл бұрын

@@-bubby9633 🤣🤣🤣

@OmprakashYadavIIT

2 жыл бұрын

😂😂

Great demonstration, Marcus!

@anuzravat

2 жыл бұрын

U got 1 subscriber

@seppy624

2 жыл бұрын

hey john

@Clytax

4 ай бұрын

@@anuzravatMore like 1.2million

It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!

@complexedone

2 жыл бұрын

I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.

@jasrid04

2 жыл бұрын

Welcome to the industry and good luck!

@devinmagee1948

2 жыл бұрын

@@complexedone Good Luck. We will get there eventually!

@manfrombritain6816

2 жыл бұрын

what have you been doing to help? what's your role? i'm looking to start in security soon!

@jdemuro1

2 жыл бұрын

Best way to learn quickly though. This is a blessing in disguise for you!

I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!

@zedzpan

2 жыл бұрын

Yup, learnt more from this than the over engineered blogs I've been tracking!

@slaloulin8289

2 жыл бұрын

not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation

Clicking various links for 30 minutes, trying to understand the issue, and you explain it in less than 4. Thank you!

Thanks Marcus. I appreciate your ability to explain a vulnerability like this and demo it in a really understandable way.

With videos out there in 20+ mins and you here with less than 4 mins explaining it so clearly, I know which video to click from next time.

I had problem understand this from days and you explained it under 4 mins. You're amazing Marcus 👏❤️

This is one of the great demonstrations I have listened on KZread. You are amazing!!

This explanation is so cool! I’ve been hearing about the vulnerability but nobody took the time to explain it this way. Thank you! :)

Very well explained. Good video Marcus!

One of the best explanations with practical demo. Thank you ..

"versatile" is the key word for this vulnerability. thanks for explaining! :)

First time understanding what this means. Thanks.

I work in IT and the last week or two has been absolutely mental thanks to this

Always cool to see a Marcus video out on a new vuln!

Just started a new job, and moved my support area from networking to applications. Day 1 of the new gig and I was hearing it was an all-hands to deal with the "new vulnerability". Thankfully new enough that there was no headache for me to deal with, but oof, glad to see what they were up against!

Thanks for such layman explanation, I was able to grasp it..

Thank You Marcus, simple but quiet clear to understand

Greetings from Indonesia, I really admire you, and you are great. I'm just a beginner who wants to learn like you from the bottom

the variable thing in a string is called string interpolation my dude!

thank you for this video marcus!!! alot of news on this and this has helped me out get a better understanding of how the vulnerability functions

Nice explanation, I believe showing how easy it is to do is the scary part more than anything since a lot of applications use log4j.

The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)

@marcellkovacs5452

2 жыл бұрын

@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.

@zaitarh

2 жыл бұрын

​@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...

@zaitarh

2 жыл бұрын

@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);

@fox2code

2 жыл бұрын

@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.

@reemontel8036

2 жыл бұрын

No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not

Great video! plain, simple and without bias.

Thanks for simplifying the vulnerability

Great job at presenting the vulnerability!

Finally no bullshitting around. Straight to the point and understandable for every novice programmer

just what am looking for....thx dude

good explination. told exactly what it is and how it works. yeah i know what im looking at already but for anyone else that has no idea, this is the video they should watch

I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...

Fantastic demonstration!

Subbed. That was an excellent explanation.

Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!

Best summary yet

clean explanation marcus!

'Drop bobby tables' for Java. Nice! Thank you for this.

Thanks Marcus! Sweet and clean explanation!

This 4 minute video was more clear and valuable then the 30minute one i just watched on this rce

@edgay

2 жыл бұрын

cough johnhammond cough

You made this very easy to understand. thanks!

Better than java brains log4j explanation,now i understand

Could you solve this issue by looking for an outcommenting the feature in the log4j library?

How can you set up the LDAP server on localhost and which port to choose?

great explanation and demo

when I try to do same thing in my eclipse using log4j It is simply printing in log message.. Any clue why ?

Great explanation. And wow.

Great video. Question, so is the problem that even though log4j stores that command string in a log file it gets executed while being written to the file?

And if I go to 2b2t from my phone, for example, will the exploit work on me? (I play java minecraft on my phone)

Nice explanation ! Thank you :)

well, well that's really interesting thanks for uploading!

Simple. To the point. Thanks man

Hello, i am just curious. I have a statement and would like to know if my logic is correct. The vulnerability is caused due to no input checking in the program, allowing unintentional interaction with the user? Is this a correct way to view this or am i way off base?

Concise and to the point, thanks!

impactful explanation thanks

Great demonstration , thank you !

I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?

hi can anyone help me when i try to inject any executor in any game it says "This exploit is down while critical ace/rce vuln is fixed" this is on roblox btw

nice demo, thanks!

Thx daddy great explanation

How to fix the issue any steps are there

Can u also input a lambda?

Great video

Wasn't the base64 an extra indirection? The class you're loading can't pop Calc.exe directly? 🙄

Thanks, really helpful.

I love your videos

Wow, that is a pretty glaring vulnerability. Amazing it's only just been discovered.

I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!

Thank you for this!

So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser... Why is it always the same vulnerability that is found?

I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me: 1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that? 2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object? 3) what is that on line 8? Is setting that property necessary for this exploit to work? Again, I appreciate highly any response :)

I wonder how many 0-day expoits out there in the open software.

Isn't 1.8 not vulnerable from the exploit though?

how does an attacker make the call in the first place though? (have access to call the function with the string

@MalwareTechBlog

2 жыл бұрын

By controlling some input that gets logged by the application

Maybe I'm overlooking things but it seems so obvious. How did this vulnerability take years to discover?

Isn't it somewhat similar to SQL Injection?

Awesome video! Quick question: What is the symbol you have on line 11 of your code just after "logger.error(" but before "Hello..."

@corv882002

2 жыл бұрын

It says "s:" and is inserted by the ide to let you know what the parameter's called

@philipjfry4465

2 жыл бұрын

parameter hinting

thank you, very heplful

Great explanation. I just didn't quite understand one thing. Is it necessary for the object you are loading to exist in the ldap server ?

@isomeme

2 жыл бұрын

Yes, but as the attacker can point the lookup to an ldap server they control, that's easy to arrange.

To be clear, it's the log4j logger that is doing the ${variable} expansion, and not the shell (?) e.g., if you print out username within the code it is not a problem, but log4j is (somehow) executing it ? Thanks!

@MalwareTechBlog

2 жыл бұрын

Correct

Thanks for the demo. May i know what will be the parent process of "calc.exe"? would it be "java.exe"?

@MalwareTechBlog

2 жыл бұрын

Yup, it'll be the java VM

Pretty much every security team in an organization is stuck on log4j meeting 😜 Wonderful explanation though of the exploit.

Right to the point. Thanks man.

You are the man Marcus, one thing though, how can i emulate this into my environment, I tried your commands and getting Error: Could not find or load main class Main error.

thanks for the explanation, going to make a documentary on this!

@tansanwastaken

2 жыл бұрын

Purchased botted sub account, ratio

@mandokir

2 жыл бұрын

Great, a whole documentary nobody asked for.

Coming from a C++ background, I can't see why the code in "username" gets evaluated. Is it because log4j triggers this evaluation somehow ? Why would it do that ?

@scarletdice

2 жыл бұрын

correct, log4j evaluates the variable that is wrapped around by ${...} (its own syntax for string interpolation). That and combined by some remote JNDI lookup/mechanism within the library itself, a feature that they claimed were needed for backward compatibility purposes (??). Note that JNDI is a standard in Java that allows remote object load/lookup (!!).

tks, Marcus!

Great great great video

This video is perfect

what terminal thing are you using where you can see both the application code and terminal? (Im a noob dont yell LOL)

@nickpechie6951

2 жыл бұрын

thats the built in terminal in IntelliJ

Its not a part of java as somebody mentioned before. The syntax is kind of string interpolation though.

It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to

Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.

I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.

@arvidmildner6274

2 жыл бұрын

As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.

@53kt0r

2 жыл бұрын

To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!

${variable} is EL expression for server scripting. Looks similar with string interpolation from c# : $"{yourVarHere}"

Thank you so much.

Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.

@maxwellmapako3820

2 жыл бұрын

I honestly believe that you cannot cater for what you don't expect 🤣

@jayit6851

2 жыл бұрын

@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.

@user-do6gr5ww5e

2 жыл бұрын

I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy

thank you!

How has this just came out? Seems like a pretty straight forward exploit? Was it a new feature of log4j or something that has existed for a long time?

@jeremyFaden

2 жыл бұрын

Since 2013

Upgrading to 2.15/2.16 version of Log4J resolves this.

Nice demonstration, but the code is unreadable on a medium-sized smartphone like mine. Please consider zooming or increasing the font size before uploading.