jsvd/script.rb

## script.rb
# encoding: utf-8

# Script to test local Logstash instance for JNDI lookups (Log4j vulnerability)
#
# To run, copy script to Logstash folder and run:
#
# bin/ruby script.rb
#
# Script's steps:
# Step 1: setup environment
# Step 2: open a TCP socket on port 2000
# Step 3: log a jdni reference and see if there's a connection request
# Step 4: if there is a connection the instance is vulnerable, log accordingly
# Step 5: cleanup

################### Setup Logstash and Log4j ##################
require_relative "lib/bootstrap/environment"
LogStash::Bundler.setup!({:without => [:build, :development]})
require "logstash-core"
require "logstash/environment"
require "socket"

port = 2000
log4j_test_path = "/tmp/log4j.test.log"
java.lang.System.setProperty("ls.logs", log4j_test_path)
java.lang.System.setProperty("ls.log.format", "plain")
java.lang.System.setProperty("ls.log.level", "info")
java.lang.System.setProperty("ls.pipeline.separate_logs", "false")
LogStash::Logging::Logger::reconfigure(URI.encode(::File.join(LogStash::Environment::LOGSTASH_HOME, "config", "log4j2.properties")))
include LogStash::Util::Loggable

################### Setup Logstash and Log4j ##################

server = TCPServer.new port

thread = Thread.new do
  client = server.accept
  $VULNERABLE = true
  client.close
  server.close
end

sleep 1
logger.info("${jndi:ldap://127.0.0.1:#{port}/obj}", "structured" => "message")
sleep 1

if $VULNERABLE
  logger.warn("This instance is vulnerable to JNDI Lookups. Please upgrade to 6.8.21 / 7.16.1")
else
  logger.info("This instance is NOT vulnerable to JNDI Lookups.")
end

logger.info("Cleaning up leftover log file", :path => log4j_test_path)
File.delete(log4j_test_path) rescue nil

## test.txt
/tmp/logstash-7.16.0
❯ bin/ruby script.rb
Using bundled JDK: /tmp/logstash-7.16.0/jdk.app/Contents/Home
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to /tmp/log4j.test.log which is now configured via log4j2.properties
[2021-12-13T11:48:36,703][INFO ][object                   ] ${jndi:ldap://127.0.0.1:2000/obj} {"structured"=>"message"}
[2021-12-13T11:48:37,756][WARN ][object                   ] This instance is vulnerable to JNDI Lookups. Please upgrade to 6.8.21 / 7.16.1
[2021-12-13T11:48:37,757][INFO ][object                   ] Cleaning up leftover log file {:path=>"/tmp/log4j.test.log"}

/tmp/logstash-7.16.0
❯ zip -q -d /tmp/logstash-7.16.0/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

/tmp/logstash-7.16.0
❯ bin/ruby script.rb
Using bundled JDK: /tmp/logstash-7.16.0/jdk.app/Contents/Home
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to /tmp/log4j.test.log which is now configured via log4j2.properties
[2021-12-13T11:49:18,757][INFO ][object                   ] ${jndi:ldap://127.0.0.1:2000/obj} {"structured"=>"message"}
[2021-12-13T11:49:19,764][INFO ][object                   ] This instance is NOT vulnerable to JNDI Lookups.
[2021-12-13T11:49:19,765][INFO ][object                   ] Cleaning up leftover log file {:path=>"/tmp/log4j.test.log"}
	# encoding: utf-8

	# Script to test local Logstash instance for JNDI lookups (Log4j vulnerability)
	#
	# To run, copy script to Logstash folder and run:
	#
	# bin/ruby script.rb
	#
	# Script's steps:
	# Step 1: setup environment
	# Step 2: open a TCP socket on port 2000
	# Step 3: log a jdni reference and see if there's a connection request
	# Step 4: if there is a connection the instance is vulnerable, log accordingly
	# Step 5: cleanup

	################### Setup Logstash and Log4j ##################
	require_relative "lib/bootstrap/environment"
	LogStash::Bundler.setup!({:without => [:build, :development]})
	require "logstash-core"
	require "logstash/environment"
	require "socket"

	port = 2000
	log4j_test_path = "/tmp/log4j.test.log"
	java.lang.System.setProperty("ls.logs", log4j_test_path)
	java.lang.System.setProperty("ls.log.format", "plain")
	java.lang.System.setProperty("ls.log.level", "info")
	java.lang.System.setProperty("ls.pipeline.separate_logs", "false")
	LogStash::Logging::Logger::reconfigure(URI.encode(::File.join(LogStash::Environment::LOGSTASH_HOME, "config", "log4j2.properties")))
	include LogStash::Util::Loggable

	################### Setup Logstash and Log4j ##################

	server = TCPServer.new port

	thread = Thread.new do
	client = server.accept
	$VULNERABLE = true
	client.close
	server.close
	end

	sleep 1
	logger.info("${jndi:ldap://127.0.0.1:#{port}/obj}", "structured" => "message")
	sleep 1

	if $VULNERABLE
	logger.warn("This instance is vulnerable to JNDI Lookups. Please upgrade to 6.8.21 / 7.16.1")
	else
	logger.info("This instance is NOT vulnerable to JNDI Lookups.")
	end

	logger.info("Cleaning up leftover log file", :path => log4j_test_path)
	File.delete(log4j_test_path) rescue nil
	/tmp/logstash-7.16.0
	❯ bin/ruby script.rb
	Using bundled JDK: /tmp/logstash-7.16.0/jdk.app/Contents/Home
	OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
	Sending Logstash logs to /tmp/log4j.test.log which is now configured via log4j2.properties
	[2021-12-13T11:48:36,703][INFO ][object ] ${jndi:ldap://127.0.0.1:2000/obj} {"structured"=>"message"}
	[2021-12-13T11:48:37,756][WARN ][object ] This instance is vulnerable to JNDI Lookups. Please upgrade to 6.8.21 / 7.16.1
	[2021-12-13T11:48:37,757][INFO ][object ] Cleaning up leftover log file {:path=>"/tmp/log4j.test.log"}

	/tmp/logstash-7.16.0
	❯ zip -q -d /tmp/logstash-7.16.0/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

	/tmp/logstash-7.16.0
	❯ bin/ruby script.rb
	Using bundled JDK: /tmp/logstash-7.16.0/jdk.app/Contents/Home
	OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
	Sending Logstash logs to /tmp/log4j.test.log which is now configured via log4j2.properties
	[2021-12-13T11:49:18,757][INFO ][object ] ${jndi:ldap://127.0.0.1:2000/obj} {"structured"=>"message"}
	[2021-12-13T11:49:19,764][INFO ][object ] This instance is NOT vulnerable to JNDI Lookups.
	[2021-12-13T11:49:19,765][INFO ][object ] Cleaning up leftover log file {:path=>"/tmp/log4j.test.log"}