CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE)
Рет қаралды 341,074
Күн бұрынTimestamps (HUGE thanks to deetee in the comments for putting these together!!!):
0:00 - Introduction
0:49 - Tweet on gaining RCE via Minecraft
1:16 - Overview of topics covered in video
1:57 - Context surrounding Log4j exploit
3:08 - Blog posts & Github repositories on CVE-2021-44228
3:58 - [Demo] Exploiting Log4j to get a callback to attacker-controlled server
6:58 - [Demo] Exploiting Log4j via unpatched Minecraft server (Spawning calc.exe)
21:00 - [Demo] Exploiting Log4j via unpatched Minecraft server (Spawning a reverse shell)
24:30 - How the industry is responding from a defense perspective
27:37 - Industry chatter surrounding CVE-2021-44228
28:52 - Blog post discussion
29:28 - Open Source Log4Shell Vulnerability Tester
32:28 - Conclusion
Detection:
thinkstcanary/sta...
/ 1469350532548632581
/ 1469643986403008515
Threats:
/ 1469508032887414784
Bypasses:
/ 1469523006015750146
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
@_JohnHammond 2 жыл бұрын
As Para noted in the comments below, I had a typo while attempting to download the old 1.8.8 version of the PaperMC server. At the time of writing this comment, that old version is still available for download with the right link. ("builds" instead of "build") Additionally, the language "zero-day clusterbomb" should be credited to Florian Roth. He described the log4j vulnerability as such, and I just think it is such a perfect name for it.
@JosephBrunsman 2 жыл бұрын
Thanks again for all the great content!
@zearthus7089 2 жыл бұрын
are Android and iOS Apps and devices will also be affected on this vulnerability issue of Log4j?
@Techies06 2 жыл бұрын
New subscriber here, It is awesome finding someone who can really nerd out on security. What a great video, thank you.
@dieSpinnt 2 жыл бұрын
Great explanation, thank you for the work and presentation, John!:) Now to the superfluous, cynic and schadenfreude-pregnant part: It's the 'ol wisdom -> Java users get what they deserve! Why not install even FLASH?:P Sorry for that ... and to you and yours, the community (including hard working Java related folks), I wish a good new year:)
@georgehammond867 2 жыл бұрын
Can you defeat Windows defender? with Log4j true MineCraft!
@GamingHintsify 2 жыл бұрын
John out here killing 2 birds with one stone. Showing us the severity of this vuln, but also showing us how to setup a minecraft server
@totallynotbluu 2 жыл бұрын
came for the minecraft server setup, stayed for the cybersecurity discussion
@Umar0x01 2 жыл бұрын
haha
@guilherme5094 2 жыл бұрын
The hero we need.
@dieSpinnt 2 жыл бұрын
It's also circular: With Minecraft (servers) there is desire for security exploits and botnets, Senpai (as we've seen the children ... or better criminals playing and disintegrating half of the internet several times for ... immature nonsense as the occasion). So there is need for security experts, who also play Minecraft, who setup servers or tell how to setup servers correctly(of course, the security has an expiration date:) ) ... ... oh and the side-effect, that we get informative high quality videos from John is also nice, thank you:)
@Wastelander1972 2 жыл бұрын
John, you’re getting big out there if you weren’t already. My organization cited this video directly for information on this vulnerability. Very well done.
@Flurry17 2 жыл бұрын
>Working in IT >Wondering what the hell is going why is there so many tickets titled Log4J something >Watches the video >I'm fucked
@aliencatmeow 2 жыл бұрын
I also work in IT. We got a bunch of log4j tickets as well and i just remembered the new vulnerability, so I was like someone's patching it right?
@kamilkicka4455 2 жыл бұрын
I am Security guy and all I can say Is that was busy Monday
@Jaycomma 2 жыл бұрын
@@aliencatmeow Wow, where do you work where people are actually targeting you?
@caboose22320 3 ай бұрын
@@aliencatmeow answer
@kevin3434343434 2 жыл бұрын
Its amazing how much of the world is built on free labor and how little everyone values open source.
@Time4Technology 2 жыл бұрын
Wise words.
@RadikAlice Жыл бұрын
Kind of a microcosm of capitalism if you think about it
@zihasz5305 2 жыл бұрын
The calculator open up twice at 20:43 because both the server and client logger got the payload. Great video btw!
@mylo5641 2 жыл бұрын
it actually calls it twice from the server. if you run minecraft on java 7 or earlier it will run on the client as well though
@ZeeraaDev 2 жыл бұрын
When i tried it myself i also got 2 requests but i think thats because the log message gets proccessed once for the console window and once for the latest.log file
@hardikjain8741 2 жыл бұрын
I was waiting for John's Detailed video to come out. This is a one-stop shop for all the information you need regaring CVE-2021-44228. Thank you
@makedredd299 2 жыл бұрын
Thank you pilgrim.
@seclilc 2 жыл бұрын
This is all nuts. Thank you for sharing the nitty and gritty
@_JohnHammond 2 жыл бұрын
Super sorry I am the worst and haven't gotten timestamps out just yet-- if there any good Samaritans willing to help and put some together, that would be a HUGE help!!!
@deetee1779 2 жыл бұрын
Hi John, thanks for the awesome video! It was very informative and interesting. Seeing the reverse shell was super exciting lol! No worries about the timestamps, you're probably really low on sleep what with all the chaos surrounding this, please get some rest when you can! For the timestamps, not sure if anyone else has done it - I did a quick one below, feel free to edit. Hope this helps! 0:00 - Introduction 0:49 - Tweet on gaining RCE via Minecraft 1:16 - Overview of topics covered in video 1:57 - Context surrounding Log4j exploit 3:08 - Blog posts & Github repositories on CVE-2021-44228 3:58 - [Demo] Exploiting Log4j to get a callback to attacker-controlled server 6:58 - [Demo] Exploiting Log4j via unpatched Minecraft server (Spawning calc.exe) 21:00 - [Demo] Exploiting Log4j via unpatched Minecraft server (Spawning a reverse shell) 24:30 - How the industry is responding from a defence perspective 27:37 - Industry chatter surrounding CVE-2021-44228 28:52 - Huntress blog post 29:28 - Huntress' Log4Shell Vulnerability Tester (Open Source) 32:28 - Conclusion
@_JohnHammond 2 жыл бұрын
@@deetee1779 You are THE BEST!! Thank you so so much -- added to the description so it is available for everyone and made sure to credit you and give you the deserved kudos :) Thank you again and again!
@deetee1779 2 жыл бұрын
@@_JohnHammond No problem at all! Happy to help :) huge respect to you for putting all this together, cheers!
@matthewbolan8154 2 жыл бұрын
Not the most pleasant way for our worlds to collide, but a good video!
@MattMcT 2 жыл бұрын
you're super inspiring John. Thank you so much for your work and vibe!
@Cyberducky 2 жыл бұрын
This video is amazing, it combines my all-time favorite game with exploiting a vulnerability and to top it all off the video is made by the incredibly talented John Hammond. 10/10 would watch again.
@_notch 2 жыл бұрын
Great video as always, John. This vulnerability is quite disturbing with how old it potentially might be. I remember implementing log4j in several projects, possibly including minecraft.
@IONJigZz 2 жыл бұрын
"Hippedy hoppedy, your code is now my property" that cracked me up ngl
@xhaser56 2 жыл бұрын
I HAVE to remember this quote! 😂🤣😂🤣
@the23er 2 жыл бұрын
Needed as Merch
@kitrodriguez992 2 жыл бұрын
Reminded me of Dani
@kimobonbon7 2 жыл бұрын
tbh me too
@Shad33 2 жыл бұрын
Was waiting on your video so I could better understand and you most def did not dissapoint. I appreciate your work
@rajeshkhatwani 2 жыл бұрын
One of the best Log4j demo, learned so much John. Big Thumbs Up! Thanks!
@Methodmanishe 2 жыл бұрын
Absolutely amazing! Thank you for sharing it and giving it a high quality explanation!
@kartik180rajesh1 2 жыл бұрын
Very well demonstrated! Understood the whole pipeline from the setup to execution
@AlphaZeroOmega 2 жыл бұрын
Thanks John! Great video showcasing this new vulnerability. I found it to be very well explained and demonstrated.
@lfcbpro 2 жыл бұрын
Great vid John, found it very interesting and hopefully this will help a lot of admins.
@Angie1R 2 жыл бұрын
Thank you, good work done! Nicely explained, demonstrated and remedied. 👏
@sauloguilhermino2831 2 жыл бұрын
Great great great explanation, John. Thank you for the video and also the testing tool, it'll be very useful for me and my team for the next few days :)
@HAGSLAB 2 жыл бұрын
Good video as always, very informative! 🧑💻
@MonoJaviX 2 жыл бұрын
Great video, very educative. Thanks for the time you took to make this one.
@reymarckessaguirre5082 2 жыл бұрын
There we go, been waiting for this vid since the panic yesterday.
@strouja 2 жыл бұрын
Thanks for this, awesome work. Very impressive.
@GunRotMG 2 жыл бұрын
Note, at 8:55 the Version is still available, you made a typo in the URL, its supposed to be /builds/ instead of /build/
@scottangelides9237 2 жыл бұрын
i was looking for a video to explain the vuln and of course mr hammond had one out already you are a saint
@atsekbatman 2 жыл бұрын
Thanks for that video and the explanation on this topic!
@GeorgFranz 2 жыл бұрын
Thank you very much for your insights, you have opened my eyes!
@unit4246 2 жыл бұрын
I wait for this video all day you are amazing 🤩
@sekytwo 2 жыл бұрын
John giving us gifts with these videos, dude is straight fire!
@kclok323 2 жыл бұрын
Great John! Thanks for the video.
@testtest2910 2 жыл бұрын
Amazing video John!!
@brettnieman3453 2 жыл бұрын
Great video, John!
@dj_bsec 2 жыл бұрын
Thanks for helping get out the info John!
@CrashLoopBackOff-K8s 2 жыл бұрын
Followed you on twitter a long while back, but wanted to sub and drop a comment here, as well. Appreciate all you do for the larger community. Thank you.
@MarcoMassieri 2 жыл бұрын
amazing that you have already set up a room for log4j on thm !!
@DonRichards 2 жыл бұрын
Something else that makes this massive is Apache Solr uses Log4j. Solr is in a LOT of things and typically gets little attention. Thanks for the demo! Super helpful!
@sayaf9393 2 жыл бұрын
Thx for a video. Learned a lot from u 🙌
@wise_one45 2 жыл бұрын
Thanks for the educational POC 👊🏾
@oliviadrinkwine1411 2 жыл бұрын
A friend got ratted with this vulnerability so thanks for sharing and spreading the news
@joshua-beck 2 жыл бұрын
This is a great explainer!
@melvin16 2 жыл бұрын
Awesome presentation. Thank you :)
@hash_fpv 2 жыл бұрын
Thank you John for the video.
@flatlinejimbob 2 жыл бұрын
Amazing work, thank you!
@tomasofficial. 2 жыл бұрын
This video is AMAZING! You covered everything, i dont regret being a subscriber. Thanks John for another good video, the new people that came from a gaming community and dont know you are really losing the game 😂
@AsmodeusMictian 2 жыл бұрын
Thanks for the vid man!
@metrixc 2 жыл бұрын
As always great and informative John. Why does curl -A not work? Is there a difference between the -H and -A option? The man page doesn’t really clarify this.
@tomasgorda 2 жыл бұрын
Great explanation. Thank you 👍
@trilogiam 2 жыл бұрын
Brilliant! All 34 minutes of it!
@SamAndrew27 2 жыл бұрын
My work week has been utter HELL because of log4j!! So glad it's a holiday next week!
@venkateshnambi1576 2 жыл бұрын
Excellent video.. about log4j with practical explanation.
@gabriels6425 2 жыл бұрын
I like the waiting screen John!
@VishalSharma-gt1hy 2 жыл бұрын
i can finally setup my first minecraft server. Thanks to john.
@0dayCTF 2 жыл бұрын
I heard “0day” 4 times and I appeared 😀
@trickshot8653 2 жыл бұрын
Yo
@ErnestoVazquezChoby1000 2 жыл бұрын
I loved the hippity hoppity, your code is now my property lol. Great video!!!!
@shahafl 2 жыл бұрын
Super interesting! Thank you!
@haxguy0 2 жыл бұрын
Hey thanks for sharing this John
@custume 2 жыл бұрын
great work, keep up the good work
@rm8582 2 жыл бұрын
Awesome information sharing! Just a question though, for the executed shell what would be its parentprocess? Would it differ from each application that uses log4j?
@gavinchristison9808 2 жыл бұрын
Great video John as a new comer to the information security space you always pitch your content at a level even I can understand. While I follow the logic and workflow for the test I'd like to know your thoughts as to whether the same process detailed in the video would work against a harder target such as a web app hosted on an Azure cloud server? (Note, I have permission to test this web app and server for vulnerabilities) If the Huntress tool (which we used to test the web app) returned no vulnerability do you think it would not be worth trying this test path? I also have to ask - where can I get one of those T-Shirts? Happy to take this off-line to discuss further if you have the time. Thanks
@davisbugs 2 жыл бұрын
Thanks John. Great Breakdown...
@devinbrooks136 2 жыл бұрын
Great info for someone working in a SOC that's for sure.
@Andy-jz1zw 2 жыл бұрын
Merry Grichmas John
@mrtnsgs 2 жыл бұрын
This is amazing!!! Thanks
@andycremeans 2 жыл бұрын
Keep up the good work John.
@mohemmedahmed7478 2 жыл бұрын
Nice and thank you for this video
@francisreidjr3788 2 жыл бұрын
Thanks John great work
@manan5 2 жыл бұрын
lol so many cuts must be a real tough job making this video. Thanks!
@thomashedrick8446 3 ай бұрын
Great tutorial btw John!! I'm a sysadmin and feel like a noob when it comes to shit like this I think if there was a GUI for these servers you're spinning up it would make it much easier to understand but I know that's not the case.
@Daedwartin2 2 жыл бұрын
And for those who found out on the programming side of things...Best of Luck in this yet to be determined period of hell as you drop everything to fix this.
@caydenwright9548 2 жыл бұрын
Great video, clearly explains everything. Timestamps super helpful. Quick question: you say at around 7:18 that this vulnerability could impact a client connected to a server with another malicious client on the server. Is this true? If so, would the server need to be vulnerable as well? I would assume not, as the chat message is simply passed along by the server, and the vulnerability occurs in Log4j on the victim client's MC client. thank you!!
@zuberkariye2299 2 жыл бұрын
Thanks for the vid!
@captainkatz1775 2 жыл бұрын
Really dope video 😃😃😃
@xshadowcasterx 2 жыл бұрын
Awesome video as always, that shirt is dope! Where can I snag one?
@thinhle1611 2 жыл бұрын
perfect explanation !!!
@emifro 2 жыл бұрын
Great tutorial!
@abdeslam_blc 2 жыл бұрын
Thanks for the information, see you soon
@hamzahwahab2286 Жыл бұрын
that is some juicy detailed of log4j, i am lucky of his subscriber
@embly2319 2 жыл бұрын
You should do more stuff like this, I know it's not everyday that an exploit like this is discovered and CTF's are likely far easier for you to make but live exploitation demos like this are super cool.
@Hope-kf1nl 2 жыл бұрын
That's what most CTFs are... Previous RCEs and SSRF exploitation in old software... Lmao.
@malfoytech4601 2 жыл бұрын
Agreed.
@embly2319 2 жыл бұрын
@@Hope-kf1nl Not really. CTF's don't show the blue team side and showing how to make your own test environment is a valuable skill. I'd like to see more of both.
@Hope-kf1nl 2 жыл бұрын
@@embly2319 I'm a little confused by your question. You'd want him to create a test environment for every single video? A lot of John's content is educational from a Red Team perspective. He works full time and I doubt he has time to setup a test environment (which has it's own caveats and bugs) as well as exploit it. I'd assume he'd need to put a lot more work into each video. Which means less time he has to get things posted. Believe it or not, we all have fulltime jobs paying over 100k+ in the security field that keeps the lights on. I doubt John wants to quit his day job and just focus on trying to post video that would likely require 10x the work for very little reward...
@embly2319 2 жыл бұрын
@@Hope-kf1nl Didn't ask you a question anywhere in my comments. I acknowledged that this takes more time in my first comment. I dont think John would be in any danger of becoming homeless if he started doing more vids like this, that's kind of ridiculous. My original point still stands that all of the things being show cased are valuable skills for newbies, and imo it makes for more interesting content. There isn't allot of high quality content like this on KZbin so it would be nice to have more.
@metrixc 2 жыл бұрын
Hi John, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
@SamsonPavlov 2 жыл бұрын
Thanks professor John... I believe Grinch Enterprises will use this to attack Santa... If not this year, next for sure... We'll be ready...💪🎄
@farsidesc4044 2 жыл бұрын
There’s a preference setting in VMware Workstation to remove the visibility of the top bar (when hidden), if that’s what you’re using and you don’t want to see it at all.
@istvanbarta 2 жыл бұрын
This kind of instability of the digital world is always terrifying me. Like the Jurrasic Park movie. Always about the budget and deadlines of the companies which cause cheap and lazy solutions, but the marketing is selling these products to key-positions and therefore it's affecting everybody. Thank you and the other talented hackers in the world who are working for us instead of against us! Open source forever!
@ahmedsaqib8489 2 жыл бұрын
Love you John
@BobBob-qm2bm 2 жыл бұрын
You need cyber running shoes to keep up with John - still trying to decipher whether or not he ever pause long enough to takes a breath :)
@shivaganesh6939 2 жыл бұрын
Hunter!! Hacker!! Great video ever! The thrill of pwning the system!
@mindaugasdailidonis 2 жыл бұрын
If you implement proper outbound traffic filtering, even if your server is vulnerable, this will not work. Basic hygiene. And this is so shockingly underrated.
@dafelix 2 жыл бұрын
I think you forgot the timestamps. Great video, this is gonna bring a lot of people to your channel
@ryzenforce 2 жыл бұрын
3 Billion devices... Oracle is showing that on their installer/updater since the last 15 years...
@w1d3r75 2 жыл бұрын
Yeah. Nowadays it's 9/12 Billion devices. Java runs the world 💪
@R4z0r_arg 2 жыл бұрын
The best cybersecurity channel
@roahboah 2 жыл бұрын
Thanks, John.
@koi7290 Жыл бұрын
Minecraft is just the tip of the iceberg no sentence has made me more invested before
@janithmalinga5765 2 жыл бұрын
Nicely explained.
@Alterpalm 2 жыл бұрын
Santa's bag of toys was a piece of cake video, almost 0 level difficulty 😎 But this...🤯 Very fast to me to understand and track all the steps. No hate, video is great as always)
@goodboy8833 2 жыл бұрын
I tried on my assessment yesterday i strucked & dnw were to start hope this helps Thank u John.
@yankeesouth 2 жыл бұрын
I know we are about to hear from John Hammond but has anyone asked what JaRule thinks of the log4j zero day?
@seclilc 2 жыл бұрын
Lol
@frosecold 2 жыл бұрын
I don't get this joke... Like, at all
@TheSeakr 2 жыл бұрын
@@frosecold You should ask JaRule why its funny
@asii_k 2 жыл бұрын
@@frosecold Dave Chappelle had a special from 2005 or so where he talks about seeing JaRule being interviewed after 9/11 and the joke goes on basically as josh outlined there. It's a great special actually
@kc-me6wl 2 жыл бұрын
looooool too good
@matteolucchetti2031 2 жыл бұрын
Thank u John!
@Jennn 2 жыл бұрын
Thank You For ELI5
John Hammond
Рет қаралды 80 М.