Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Log4J is a popular logging framework for Java. This is used by many large applications, including AWS. The vulnerability is similar to that of a format string bug: data within a string was being treated as trusted input, when it should not have been. This resulted in strings, provided by the user, being capable of large capabilities.

The default configuration of Apache Log4J supports Java Naming and Directory Interface (JNDI) lookups. This means that it can execute arbitrary code. Besides that, it LDAP, DNS and Java object usage would also be possible. Really, it's that simple. Put a string with ${jndi:ldap://localhost:1389/a} that gets logged and it will make a call to this to execute arbitrary code.

The patch disables JNDI by default in the lookups. This is now a configurable feature that can be turned on again if you like RCE from logging (lolz).

In some non-default configurations, the vulnerability was still possible to exploit. When data is passed to some other locations besides the message, it can lead to issues. Praetorian shows a proof of concept of this exfiltrating data. Additional details can be found at a twitter thread.

CVE-2021-44228 and CVE-2021-45046 are some of the worst vulnerabilities ever discovered with how widespread the Log4J package is used. I suspect, down the road, this will be talked about alongside heartbleed and shellshock.