Yeah lol, I just realized that 😂

🤣🤣🤣🤣🤣

Tbf for us security professionals this is basically like a new game was just released 😂

@@-bubby9633 🤣🤣🤣

😂😂

U got 1 subscriber

hey john

@@anuzravatMore like 1.2million

I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.

Welcome to the industry and good luck!

@@complexedone Good Luck. We will get there eventually!

what have you been doing to help? what's your role? i'm looking to start in security soon!

Best way to learn quickly though. This is a blessing in disguise for you!

Yup, learnt more from this than the over engineered blogs I've been tracking!

not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation

@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.

​@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...

@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);

@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.

No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not

Yo

I honestly believe that you cannot cater for what you don't expect 🤣

@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.

I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy

Purchased botted sub account, ratio

Great, a whole documentary nobody asked for.

It says "s:" and is inserted by the ide to let you know what the parameter's called

parameter hinting

how did you manager to get a Java lookup accepted on the commandline? When i enter ${java:version} it is evaluated on the CLI leading to no value, leading to an java.lang.ArrayIndexOutOfBoundsException in the java program.

More like xkcd 2347: Dependency. All modern infrastructure is built on a project someone thanklessly maintains in their free time :( And this vuln vas known as far back as BlackHat 2016.

How dooes one find log4j "cumbersome"? It's literally one jar and one .properties / .xml config file and off you go.

@@demoniack81 it's been a while so I forgot the details, but whatever logging setup we had just did not work properly when we updated log4j, and a lot of the log messages had to be rewritten or changed just so the files would be generated and logged to. And my company had this overly complicated standard that log messages had to follow but didn't quite tell us how to make it display properly with log4j - when the older system was already doing so. So many bugs that were "this log is not displaying the error message properly", and I'd have to track down and fix it because there was some variable that needed updating.

Exactly. If I knew about this feature of log4j (I dont do java), it would immediately raise concern. String templates (format strings, f strings, etc.) should NEVER be evaluated by the program itself.

By controlling some input that gets logged by the application

As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.

To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!

No, the issue IS the logger. This vulnerability does not exist if you simply print to stdout with the basic Java functions. No one expects a logging library to be WORSE at handling user input than a basic call to System.out.println(). I'm frankly astonished that *anyone* could have ever thought that allowing a JNDI lookup _in a freaking log message_ was a good idea, even just from a performance standpoint. How this got out into production will forever be a mistery to me.

@@demoniack81 The real problem is that we can't even count on professionals to be aware of the issues in the OWASP Top 10. Careless handling of user input is playing with fire. In log4j 2.17.0 careless handling of user input is still playing with fire. If you log using println careless handling of user input is still playing with fire. Log4j just happened to be the thing that enabled developers that play with fire to burn themselves this time around. It won't be the last.

Correct

correct, log4j evaluates the variable that is wrapped around by ${...} (its own syntax for string interpolation). That and combined by some remote JNDI lookup/mechanism within the library itself, a feature that they claimed were needed for backward compatibility purposes (??). Note that JNDI is a standard in Java that allows remote object load/lookup (!!).