Skip to content

Instantly share code, notes, and snippets.

@d3fc0nmm
Last active Dec 19, 2021
Embed
What would you like to do?
<#
.SYNOPSIS
log4j-search.ps1 scans all local drives for presence of log4j jar files and analyzes the contents of the jar file to determine if it is vulnerable (CVE-2021-44228 and CVE-2021-45105)
.DESCRIPTION
Requires .Net4+
Scans your local drives to identify vulnerable jar files (CVE-2021-44228 and CVE-2021-45105)
USAGE
.\log4j-search.ps1
.\log4j-search.ps1 -verbose 1 #lists all matching log4j jar files
#>
param ( [bool]$verbose )
Add-Type -AssemblyName System.IO.Compression
Add-Type -assembly system.io.compression.filesystem
$targetManifestFile = New-TemporaryFile
$log4Filter = "log4j*.jar"
$jarFiles = Get-PSDrive | Where-Object { $_.Name.length -eq 1 } | Select-Object -ExpandProperty Root | Get-ChildItem -File -Recurse -Filter $log4Filter -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
$global:result = $null
foreach ($jarFile in $jarFiles) {
$global:jndiExists = $false
$zip = [System.IO.Compression.ZipFile]::OpenRead($jarFile)
$zip.Entries |
Where-Object { $_.Name -like 'JndiLookup.class' } | ForEach-Object {
if ($null -eq $global:result) { $global:result = "NOT vulnerable but Jndi class found" }
$global:jndiExists = $true
}
$zip.Entries |
Where-Object { $_.FullName -eq 'META-INF/MANIFEST.MF' } | ForEach-Object {
[System.IO.Compression.ZipFileExtensions]::ExtractToFile($_, $targetManifestFile, $true)
try {$implementationVersion = (Get-Content $targetManifestFile | Where-Object { $_ -like 'Implementation-Version: *' }).ToString()}
catch {$implementationVersion = 'Implementation-Version: 0.0.0'}
Remove-Item $targetManifestFile -ErrorAction SilentlyContinue
$implementationVersion_ = $implementationVersion.Replace('Implementation-Version: ', '').Split('.')
if (([int]$implementationVersion_[0] -eq 2 -and [int]$implementationVersion_[1] -lt 15) -And !([int]$implementationVersion_[0] -eq 2 -and [int]$implementationVersion_[1] -lt 12 -and [int]$implementationVersion_[2] -eq 2) ) {
if ($global:jndiExists) {
Write-Output "$($jarFile.ToString()) $($implementationVersion.ToString()) - VULNERABLE to RCE"
$global:result = "Vulnerable"
}
} elseif (([int]$implementationVersion_[0] -eq 2 -and [int]$implementationVersion_[1] -lt 16 ) -and !([int]$implementationVersion_[0] -eq 2 -and [int]$implementationVersion_[1] -lt 12 -and [int]$implementationVersion_[2] -eq 3 ) -And ($jarFile.ToString() -match 'log4j-core') ) {
Write-Output "$($jarFile.ToString()) $($implementationVersion.ToString()) - VULNERABLE to DoS"
$global:result = "Vulnerable"
} elseif ($verbose) {
Write-Output "$($jarFile.ToString()) $($implementationVersion.ToString())"
}
}
}
if ($null -eq $global:result) { $global:result = "Not Vulnerable" }
Write-Host "This system is $global:result"
@d3fc0nmm
Copy link
Author

d3fc0nmm commented Dec 17, 2021

By default, the script will now only show jar files containing the jndi class that is older than version 2.15.

Use "-verbose 1" to show all matching log4j jar files including ones NOT containing the jndi class.

@d3fc0nmm
Copy link
Author

d3fc0nmm commented Dec 19, 2021

Updated script to help identify Log4j version vulnerable to CVE-2021-45105.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment