Northwave Log4j CVE-2021-44228 checker

Overview

Northwave Log4j CVE-2021-44228 checker

Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the Java library 'log4j' 2 was published. This vulnerability has not been disclosed to the developers of the software upfront. The vulnerability is being tracked as CVE-2021-44228 3. More information on the vulnerability can be found in the Northwave Threat Response 4.

Northwave created a testing script that checks for vulnerable systems using injection of the payload in the User-Agent header and as a part of a HTTP GET request. Vulnerable systems are detected by listening for incoming DNS requests that contain a UUID specically created for the target. By listening for incoming DNS instead of deploying (for example) an LDAP server, we increase the likelyhood that vulnerable systems can be detected that have outbound traffic filtering in place. In practice, outbound DNS is often allowed.

DISCLAIMER

Note that the script only performs two specific checks: User Agent and HTTP GET request. This will cause false negatives in cases where other headers, specific input fields, etcetera need to be targeted to trigger the vulnerability. Feel free to add extra checks to the script.

Setting up a DNS server

First, we need a subdomain that we can use to receive incoming DNS requests. In this case we use the zone log4jdnsreq.northwave.nl and we deploy our script on log4jchecker.northwave.nl. Configure a DNS entry as follows:

log4jdnsreq 3600 IN  NS log4jchecker.northwave.nl.

We now set up a BIND DNS server on a Debian system using apt install bind9 and add the following to the /etc/bind/named.conf.options file:

	recursion no;
    allow-transfer { none; };

This disables recusing as we do not want to run an open DNS server. Configure logging in /etc/bind/named.conf.local by adding the following configuration:

logging {
	channel querylog {
		file "/var/log/named/query.log";
		severity debug 3;
		print-time yes;
	};
	category queries { querylog;};
};

Don't forget to restart BIND using systemctl restart bind9. Check if the logging works by performing a DNS query for xyz.log4jdnsreq.northwave.nl. One or more queries should show up in /var/log/named/query.log.

Running the script

Install any Python dependencies using pip install -r requirements.txt. Edit the script to change the following line to the DNS zone you configured:

HOSTNAME = "log4jdnsreq.northwave.nl"

You can now run the script using the following syntax:

python3 nw_log4jcheck.py https://www.northwave.nl

The last line of the output shows if the system was found to be vulnerable:

INFO:root:NOT VULNERABLE! No incoming DNS request to 3414db71-309a-4288-83d4-aa3f103db97c.log4jdns.northwave.nl was seen

License

Log4jcheck is open-sourced software licensed under the MIT license.

You might also like...
Scans for Log4j versions effected by CVE-2021-44228

check_mkExtension to check for log4j2 CVE-2021-44228 This Plugin wraps around logpresso/CVE-2021-44228-Scanner (Apache License 2.0) How it works Run i

A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

An automated header extensive scanner for detecting log4j RCE CVE-2021-44228

log4j An automated header extensive scanner for detecting log4j RCE CVE-2021-44228 Usage $ python3 log4j.py -l urls.txt --dns-log REPLACE_THIS.dnslog.

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

CVE-2021-44228 log4j 2.x rce漏洞检测工具
CVE-2021-44228 log4j 2.x rce漏洞检测工具

#1 使用说明 CVE-2021-44228 log4j 2.x rce漏洞检测工具,对目标链接发起get请求并利用dnslog探测是否有回显 $ python3 log4j-scan.py -h

PortSwigger Burp Plugin for the Log4j (CVE-2021-44228)

yLog4j This is Y-Sec's @PortSwigger Burp Plugin for the Log4j CVE-2021-44228 vulnerability. The focus of yLog4j is to support mass-scanning of the Log

DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

Comments
  • Scanning e-mail servers

    Scanning e-mail servers

    Ok.. so I don't know if we would like to add it or even how we should scan it, but..

    We scanned several hosts and with the most recent version we suddenly got hits we did not expect, from servers dat don't even have Java installed. Turns out some of our customers have applications that mail error reports when something fails. This script triggered an exception and the report contained the UUID-based hostname. Somewhere in the path from the server to the recipient a mail server performed the lookup.

    We've excluded our infrastructure and mail server and excluded this particular mail client. Although we've informed all we could inform it's currently out of our hands to resolve and I don't know what part is affected. However, it might be interning to try to detect this.

    I've managed to reproduce it by sending two mails (one with the string in the subject and one with the string in the body)

    The problem regarding testing this would be finding a path to send mail though. I've created this issue to at least dump my thoughts about it

    opened by rvanlieshout 0
  • Rescue urllib3.exceptions.LocationParseError...

    Rescue urllib3.exceptions.LocationParseError...

    ... to at least continue processing lists

    I was running a scan in a tmux just do find out the tool doesn't really like ipv6 ip addresses or some other entries in my list. It would be easier to just continue scanning. The operator in any case still has to check the output to see if something failed.

    opened by rvanlieshout 0
  • Need help and clarity on the instructions.

    Need help and clarity on the instructions.

    The instructions to setup the DNS server are not clear for me. Can you please help?

    1. What are these DNS names log4jchecker.northwave.nl, log4jdnsreq.northwave.nl.
    2. Where do we need to setup the DNS entry?
    3. What is happening when we run the script?
    4. When following the instructions to start bind9, i get a message that bind9 is disabled.
    opened by Harish-Sridhar 1
  • Help with Bind conf files

    Help with Bind conf files

    Can you provide sample zone configuration files that works for bind9? I have the following configurations but I cannot seem to resolve the following queries:

    HOST: $ nslookup ns1 Server: 127.0.0.53 Address: 127.0.0.53#53

    ** server can't find ns1: SERVFAIL

    HOST.DOMAIN: $ nslookup ns1.example Server: 127.0.0.53 Address: 127.0.0.53#53

    ** server can't find ns1.example: NXDOMAIN

    FQDN: $ nslookup ns1.example.local Server: 127.0.0.53 Address: 127.0.0.53#53

    ** server can't find ns1.example.local: SERVFAIL

    Configurations:

    /etc/bind/db.local ; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. @ IN A 127.0.0.1 @ IN AAAA ::1

    /etc/bind/db.example.local $TTL 604800 @ IN SOA ns1.example.local. root.ns1.example.local. ( 4 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.example.local. ns1 IN A 192.168.110.153 log4jdnsreq 3600 IN NS ns1.example.local.

    opened by freedombirdone 4
Owner
Northwave
Intelligent Security Operations
Northwave
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 3, 2023
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 9, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 20 Nov 11, 2022
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Justakazh 6 Dec 28, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Wade 1 Dec 15, 2021
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
Tools for investigating Log4j CVE-2021-44228

Log4jTools Tools for investigating Log4j CVE-2021-44228 FetchPayload.py (Get java payload from ldap path provided in JNDI lookup). Example command: Re

MalwareTech 91 Dec 29, 2022
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Mitiga 13 Jan 4, 2022
Log4j command generator: Generate commands for CVE-2021-44228

Log4j command generator Generate commands for CVE-2021-44228. Description The vulnerability exists due to the Log4j processor's handling of log messag

null 1 Jan 3, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022