Explaining Exploits: Log4J

Two weeks ago in our Storming the Castle Series we described how we used the Log4J vulnerability to gain root access to a Linux machine and proceeded to compromise the rest of the network: https://lnkd.in/e3x4EPMG.

But how exactly does the Log4J exploit work?

Log4Shell is a vulnerability found within the logging function of the Apache Tomcat server software. By sending a specially crafted request attackers can achieve RCE (Remote Code Execution). A feature within Log4J allows log messages to contain JNDI (Java Naming and Directory Interface) references.

As the attacker we then craft a malicious log message with a JNDI reference to our rogue server. When running the vulnerable version, Log4j interprets the message then executes the code hosted on the attacker's server. This then allows the attacker to access and control the affected systems.

Remediation Steps:

1. Update to Log4j v2.16.0 +

2. Keep Java versions on hosting severs updated

3. Only allow specific traffic from the specified ports and limit egress traffic out to the internet from necessary ports with firewall rules.

4. Consider the use of vulnerability management and scanning tools

Log4j Exploit Visualized :