Skip to content

Instantly share code, notes, and snippets.

@KosmX

KosmX/overhyped_rce.md

Last active December 15, 2021 19:11
Show Gist options
  • Save KosmX/7f13941c703e38ce3244864ee8dc6f3d to your computer and use it in GitHub Desktop.
Save KosmX/7f13941c703e38ce3244864ee8dc6f3d to your computer and use it in GitHub Desktop.
Download ZIP
Overhyped RCE: CVE-2021-44228
Raw
overhyped_rce.md

The overhyped 0-day vulnerability...

I only show one side of the exploit or the media reaction. Not everyone is wrong about it

I won't detail the vulnerability here, if you don't know it, first check my repo KosmX/CVE-2021-44228-example.
Or use an external reference. Be aware, most of the online details about this, are misleading!

On december 9th 2021 the vulnerability was discovered.
For short, you can execute JNDI lookups by logging a special code.

Most media referred it as an RCE (Remote Code Execution), a very dangerous one

And, there are GH repos saying the same.

Most misleading news refer to https://twitter.com/_JohnHammond as proof or main source. He did share multiple images, successfully utilizing the exploit on Minecraft.

Something is missing

No matter, how hard I tried to reproduce the result, run other examples, it just didn't work. (Latest version of MS JDK 17)
But what did I do wrong?
At the time, I did not know, what JNDI is for, I just tried to copy code.
Eventually, I understood JNDI enough, to realize the missing part.

JNDI lookup is to load remote objects with known types.

It does this through an ObjectFactory.
(interface, receives data, output a copy of the remote object)

JNDI does NOT load remote code, and it will never do that.
Oh, wait.
Another vulnerability? in JDAP?

The missing piece

Some PoCs include the malicius class in the classpath, others used another vulnerability paired with this one.

The most commonly used vulnerability:

JDK-8196902

Java™ SE Development Kit 8, Update 191 Release Notes (oracle.com)
At the bottom:

JDK-8196902 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 8u191 Bug Fixes page.

So what?

veracode-research/rogue-jndi: A malicious LDAP server for JNDI injection attacks (github.com) This is referred as

  • RemoteReference.java - classic JNDI attack, leads to RCE via remote classloading, works up to jdk8u191

So, with a malicious payload, we can load a remote class in Java...
And with CVE-2021-44228 we can request a class loading in the target machine.

JDK-8196902 vulnerability has been updated in October 16, 2018. Most users has been updated since.

Using this is just not realistic.

But No-one did tell a word about the other exploit

Or even if they did, no-one found them.

Most likely, because John Hammond did not mention it in his tweets.
Journalists don't check if the science is correct, they just write about it. As fast as possible.
And this can lead to some confusion.

Log4j2 JNDI Injection is a gateway to JNDI vulnerabilities

This is not the only way, Log4j can be exploited, but the most commonly used in POCs
There are other JNDI vulnerabilities. rogue-jndi is listing 5 of them.

How dangerous is this exactly?

Don't worry, Log4j2 exploit is still a very powerful vulnerability, With paired with another JNDI vulnerability, it can lead to RCE.

It can also be used to extract environment variables, and for that, no other vulnerability is needed.

more about here: KosmX/CVE-2021-44228-example

Later John Hammond released a video, where he show the exploit, and indeed, he uses old Java. BUT not a word about it.
https://www.youtube.com/watch?v=7qoPDq41xhQ

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment