Fuzzing Java to Find Log4j Vulnerability

Fuzzing Java to Find Log4j Vulnerability - CVE-2021-45046

Рет қаралды 56,237

Күн бұрын

After the log4shell (CVE-2021-44228) vulnerability was patched with version 2.15, another CVE was filed. Apparently log4j was still vulnerable in some cases to a denial of service. However it turned out that on some systems, the issue can still lead to a remote code execution. In this video we use the Java fuzzer Jazzer to find a bypass.
Jazzer Java Fuzzer: github.com/CodeIntelligenceTe...
Anthony Weems: / amlweems
00:00 - Intro
00:54 - Chapter #1: The New CVE
03:38 - Chapter #2: Disable Lookups
05:43 - Chapter #3: Vulnerable log4j Configs
07:52 - Chapter #4: The Remote Code Execution
10:53 - Chapter #5: Parser Differential
12:57 - Chapter #6: Differential Fuzzing
16:07 - Chapter #7: macOS Only
18:15 - Chapter #8: Increase Impact
19:03 - Summary
19:58 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow

Пікірлер: 76

@FaultyMuse 2 жыл бұрын

As a professional Java developer, I have never once heard someone call log4j "Log Forge". And considering the name literally means "Log for Java", I would argue anyone saying "Log Forge" is wrong. Although i suppose this is probably just another gif situation lol

@quinndirks5653 2 жыл бұрын

Soft g to avoid confusion with gift, context then resolves any other potential confusion. Creator of the word also pronounces with soft g and says it should be a soft g, like the peanut butter. Pronounce with a soft g, and tell your friends.

@tijsbeek8590 2 жыл бұрын

4J is normal in the Java eco-system, and it means for Java. So log4j would be pronounced as log for Java. Unless log4j is weird and uses other naming. idk where people got Forge from

@wlockuz4467 2 жыл бұрын

Yeah its literally Log Four J lol

@hikkamorii 2 жыл бұрын

@@tijsbeek8590 Probably related to Minecraft's Forge modding platform, since Log4j was heavily abused on minecraft servers

@rinzler_d_vicky 2 жыл бұрын

As a dev I never thought of security in such detail, but after watching this channel I have been practicing to analyse my code for vulnerability and avoid developing features that can be used as vulnerability in combination. My favourite approach is to never make a magic function. Thank you!

@TheBiggreenpig 2 жыл бұрын

Problem is, 3rd party libs are full of magic.

@rinzler_d_vicky 2 жыл бұрын

@@TheBiggreenpig go old school, right things yourself, and curse yourself for being a dev like I do 😂

@D1ndo 2 жыл бұрын

For anyone wondering how did they fix this difference in URI parsing behaviours -> They didn't. They just completely removed the whitelisting checks and restricted the whole shebang to only `java` scheme, so no LDAP URIs would pass through.

@VLS-Why 2 жыл бұрын

Now you just need to put a sudoedit payload in a log4j injection xD

@rinzler_d_vicky 2 жыл бұрын

This cracked me up, I am still waiting for his sudoedit series to conclude.

@themadichib0d 2 жыл бұрын

@Xeno The Strange I mean chaining exploits is a thing. Abusing log4j to get a local user perms and then the sudoedit vuln to escalate to root is a pretty reasonable scenario.

@user-ko7oo2qg1g 2 жыл бұрын

It's always worth it.. watching the content you make.

@EER0000 2 жыл бұрын

Great dive into this CVE, since I don’t work with Java I took this one as an FYI so it’s great to come across an easily digestible report on it. 😄

@logiciananimal 2 жыл бұрын

Jazzer looks neat - thanks for the reference.

@jonathanvorster8621 2 жыл бұрын

I really enjoyed this! Good video.

@j3r3miasmg 2 жыл бұрын

Missed opportunity to play some jazz while the fuzzer runs. Thanks for the video.

@MuhammadBinZafar1 Жыл бұрын

This was a fruitful collaboration. Thanks @liveoverflow for the insights. It's always amazing to see top hackers coming together!

@superhero1 2 жыл бұрын

Thanks for another video! 😎

@mushenji 2 жыл бұрын

This is extremely awesome

@radekslany1840 2 жыл бұрын

18:10 'Z'ystems :D 🇩🇪 continuing the sentence they become system again :D

@Zedoy 2 жыл бұрын

thanks for a new video ❤️❤️

@ThistleBlue 2 жыл бұрын

Training to be a Java SDET and we're covering Log4J tomorrow..time to learn beforehand haha

@greob 2 жыл бұрын

Nice video, very interesting! :)

@cybersecurity3523 2 жыл бұрын

Good job bro 👍👍👍

@koti2547 2 жыл бұрын

Awesome👍

@ahmedkazeka 2 жыл бұрын

best man

@kallocainsynthemesc4172 2 жыл бұрын

Wünsch mir mehr java videos von dir. Weiß du machst nicht viel mit Java, aber es ist relevanter für Programmierer (weil beliebte Sprache). Keep up the good Content junge

@baderelhayah7961 2 жыл бұрын

Great video, hopefully you will do the same with the iMessage zero-click exploit

@PavelTimofeev 2 жыл бұрын

Great video, thank you! I feel something is missing in the video - still nor clear why MacOS and alpine are affected? Maybe other operating systems? Why? Probably because of different libc implementations that provide DNS resolution functionality.

@itskdog 2 жыл бұрын

From what I took from the video, it's the OS DNS resolver that's causing the issue, and that JNDI is just calling the system DNS resolver rather than using its own, hence it being OS-dependent.

@ALZlper 2 жыл бұрын

Log(ing) for J(ava) U had it right the first time.

@Mayurdusane 2 жыл бұрын

Man Man Man !!! You over simplified that initial statement. I understood this in half sleep.

@mohamedjames9427 2 жыл бұрын

thank you very much for this asome video .does Anthony Weems has a youtube channel?

@yuvalid4156 2 жыл бұрын

Show this to all the apple stans thinking MacOS is safe from hacking

@krzysztoflewandowski8262 2 жыл бұрын

Just curious if you have noticed CVE-2017-5645? Probably very early sign of the novadays problems

@Meskalin_ 2 жыл бұрын

ThreadContext Maps are not log4j specific. It is a common concept and std library component in enterprise java developement.

@TimLF 2 жыл бұрын

Comment for the algorithm.

@frozzie8949 2 жыл бұрын

I didn't know that Michael Cera had a hobby in informatic security

@doktoracula7017 2 жыл бұрын

8:44 Nah, it doesn't look good, still seems overly complex. Too many nested ifs, this could use the early return pattern. Which you definitely should use whenever you do safety checks, you should return instantly when anything is wrong and do operations only when all is right.

@kennichdendenn 2 жыл бұрын

Except when validating parts of input, i.e. Passwords. Because then you might craft yourself a nice little timing attack vector 😎. But I agree: in most scenarios, this should be the default.

@doktoracula7017 2 жыл бұрын

@@kennichdendenn To be fair I don't remember anytime I needed to check passwords or api keys on my own directly. Always used framework/language builtins for that. But true, that's something to remember. Man, writing secure code is hard.

@kennichdendenn 2 жыл бұрын

@@doktoracula7017 it is. When validating passwords, I've always just used a secure string compare function. Sadly, I needed to do so to support an older (but afaik still secure) login system, for which there was no pre-shipped library.

@MasterLJ 2 жыл бұрын

Imagine having your PRs broadcast and scrutinized all across the web. Glad we're doing it, but that would be a pulse-raiser.

@Hexcede 2 жыл бұрын

So, the bypass was found through a parser differential. But it only works on MacOS... Because of a parser differential 😳

@MVMn 2 жыл бұрын

How can you inject your code via this localhost# URLs though? You say "the connection worked" for the other dude, but the connection to what? There clearly can't be a doman like localhost# - so how did he actually inject something? What did the DNS resolve and how could it resolve anything at all? o_O

@wagyourtai1 2 жыл бұрын

9:00 it's that thing that happened in chrome, aka url parsing's jank sometimes

@wagyourtai1 2 жыл бұрын

yay I was right

@KeinNiemand 2 жыл бұрын

but woudn't the remote code execution requre that somone actually registers the localhost# domain witch is impossible since it's invalid. Even if someone is running macos and it parses the invalid hostname the dns server shoudn't return anything since the hostname is still invalid. So this is actully not exploitable unless the DNS server is also vunerable or the attacker controls the dns server.

@victortruong2538 2 жыл бұрын

I thought this was Micheal Cera on the thumbnail

@sihmy9870 2 жыл бұрын

When can we expect the complete 100% patch for this new log4j?

@reastle1307 2 жыл бұрын

linux pwnkit what about it ?

@gcm4312 2 жыл бұрын

Logforge, what? :D

@cperception 2 жыл бұрын

didnt know michael cera is into programming

@somMelon 2 жыл бұрын

11:51 which IDE is that?

@yusufislek3669 2 жыл бұрын

Thats not an IDE, its sublime text

@marian_f1704 2 жыл бұрын

Yo, Michael Cera, what up?

@TheDeadNorth 2 жыл бұрын

Really.. the people saying that you pronounced Log4j wrong are really acting like they didnt miss pronounce it wrong the first time they seen it... I literally see 'Log4j'.. not 'Log Forge'..

@Deveyus 2 жыл бұрын

So what I'm hearing is "It's always DNS" :)

@giangonzalez3283 2 жыл бұрын

Hey Michael Cera

@AbdelrahmanRashed 2 жыл бұрын

I'm just sad that such Exploits exist, why would anyone want to write their own stupid URI parser instead of using the native/built-in one that Is heavily relied on and tested very well ?

@namenlos4198 2 жыл бұрын

It is about knowledge. If the person implementing the new parser does not know about the URI parser then he needs to find a different route

@kennichdendenn 2 жыл бұрын

@@namenlos4198 Or maybe about having a much simpler and therfore probably significantly faster parser - logging needs to be very performant after all.

@BlueBloxKraft 2 жыл бұрын

Since when was log4j pronounced as log forge?

@akashsrivastava279 2 жыл бұрын

i want to learn from you

@riley4252 2 жыл бұрын

hey thanks for "scanning my minecraft server for a project" aka testing for log4j vulnerability on my private server w/o my permission- which is illegal by the way- i've banned your username X_senpai_ and i'm reporting the droplet you used to Digital Ocean.

@riley4252 2 жыл бұрын

it was kind of you to advertise your youtube channel on the way out /s

@georgehammond867 2 жыл бұрын

this is endless loop off breaking by hackers and repairing Log4j by maintainers, 2 hackers are more dangerous together.

@ceilingfun2182 2 жыл бұрын

@ZelenoJabko 2 жыл бұрын

4j is always pronounced as for-j

@gilesanderson4860 2 жыл бұрын

fuzzing router

@maximilian19931 2 жыл бұрын

The best fix is just to delete log4j and Blacklist its inclusing. Meiß log4j raus und sperr jvm build vom einfügen.

@5Breaker 2 жыл бұрын

You say "hash sign", all I hear is pound key

@tomysshadow 2 жыл бұрын

In this context, it is correct to use the term "hash." It is the name for that part of a URL.

@cipher32k 2 жыл бұрын

LMAO "Log Forge" they probably say it like that cause it was mostly popularized on minecraft, and the "Forge" mod loader users were affected the most. Still it sounds fucking stupid

@GeneralAutustoPepechet 2 жыл бұрын

If a logging library has capability to parse expressions from log input. Whoever made that should be banned from programing ever again. The question lies elsewhere. Its a logging library. I expect it to know how write logs to console, file, or to dev null. Why it has lookups? Its clearly bloated. I have nothing against additional functionality. But if you really feel like logging library also have to know how to cook pancakes and fix cars make these features disabled by default, or in better case make them as plugins dustributed in separate jars So your stupidity wont even get into my classpath If you develop such bloated software you clearly failed as a project manager.