Walking through how the log4j CVE-2021-44228 remote code execution vulnerability works and how it's exploited.
Пікірлер: 258
@mint5302 жыл бұрын
You saying "just came out a few days ago" makes it sound like a fun new game just got released haha
@MalwareTechBlog2 жыл бұрын
Yeah lol, I just realized that 😂
@techutility2 жыл бұрын
🤣🤣🤣🤣🤣
@-bubby96332 жыл бұрын
Tbf for us security professionals this is basically like a new game was just released 😂
@dipankarmitra33342 жыл бұрын
@@-bubby9633 🤣🤣🤣
@OmprakashYadavIIT2 жыл бұрын
😂😂
@_JohnHammond2 жыл бұрын
Great demonstration, Marcus!
@anuzravat2 жыл бұрын
U got 1 subscriber
@seppy6242 жыл бұрын
hey john
@Clytax7 ай бұрын
@@anuzravatMore like 1.2million
@devinmagee19482 жыл бұрын
It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!
@complexedone2 жыл бұрын
I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.
@jasrid042 жыл бұрын
Welcome to the industry and good luck!
@devinmagee19482 жыл бұрын
@@complexedone Good Luck. We will get there eventually!
@manfrombritain68162 жыл бұрын
what have you been doing to help? what's your role? i'm looking to start in security soon!
@jdemuro12 жыл бұрын
Best way to learn quickly though. This is a blessing in disguise for you!
@ltsmash95442 жыл бұрын
I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!
@zedzpan2 жыл бұрын
Yup, learnt more from this than the over engineered blogs I've been tracking!
@slaloulin82892 жыл бұрын
not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation
@brianrdetweiler2 жыл бұрын
Clicking various links for 30 minutes, trying to understand the issue, and you explain it in less than 4. Thank you!
@zaitarh2 жыл бұрын
The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)
@marcellkovacs54522 жыл бұрын
@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.
@zaitarh2 жыл бұрын
@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...
@zaitarh2 жыл бұрын
@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);
@fox2code2 жыл бұрын
@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.
@reemontel80362 жыл бұрын
No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not
@sniGGandBaShoR2 жыл бұрын
the variable thing in a string is called string interpolation my dude!
@Jhosepep126 ай бұрын
like si llegaste aquí por el video de german
@Hakucopter6 ай бұрын
Yo
@losthedgehog39222 жыл бұрын
Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.
@AlphaZeroOmega2 жыл бұрын
Thanks Marcus. I appreciate your ability to explain a vulnerability like this and demo it in a really understandable way.
@romanxyz72482 жыл бұрын
I had problem understand this from days and you explained it under 4 mins. You're amazing Marcus 👏❤️
@Swing172 жыл бұрын
Very well explained. Good video Marcus!
@tapion19982 жыл бұрын
I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...
@redwaller12 жыл бұрын
Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.
@maxwellmapako38202 жыл бұрын
I honestly believe that you cannot cater for what you don't expect 🤣
@jayit68512 жыл бұрын
@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.
@user-do6gr5ww5e2 жыл бұрын
I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy
@badashgr82 жыл бұрын
With videos out there in 20+ mins and you here with less than 4 mins explaining it so clearly, I know which video to click from next time.
@Lebensgott2 жыл бұрын
oh boi... that is a bad one...
2 жыл бұрын
thanks for the explanation, going to make a documentary on this!
@tansanwastaken2 жыл бұрын
Purchased botted sub account, ratio
@mandokir2 жыл бұрын
Great, a whole documentary nobody asked for.
@paulkelly56182 жыл бұрын
Awesome video! Quick question: What is the symbol you have on line 11 of your code just after "logger.error(" but before "Hello..."
@corv8820022 жыл бұрын
It says "s:" and is inserted by the ide to let you know what the parameter's called
@nagorik242 жыл бұрын
parameter hinting
@krizanand2 жыл бұрын
Pretty much every security team in an organization is stuck on log4j meeting 😜 Wonderful explanation though of the exploit.
@jackofnotrades152 жыл бұрын
Its not a part of java as somebody mentioned before. The syntax is kind of string interpolation though.
@julkiewicz2 жыл бұрын
Wtf, is wrong with software architecture... why, why, why is this even remotely an option. This smells like an attack vector even if that particular problem gets patched up.
@metrixc2 жыл бұрын
Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
@danielblanchette85932 жыл бұрын
So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser... Why is it always the same vulnerability that is found?
@antoinegilles91542 жыл бұрын
Conclusion : stop use Java
@lofman2 жыл бұрын
"versatile" is the key word for this vulnerability. thanks for explaining! :)
@DerekMK2 жыл бұрын
Those ${variable} sequences aren't actually handled at the Java level, they're at the log4j level and they're called "lookups" if you want to find documentation or anything.
@tomwesseling91732 жыл бұрын
how did you manager to get a Java lookup accepted on the commandline? When i enter ${java:version} it is evaluated on the CLI leading to no value, leading to an java.lang.ArrayIndexOutOfBoundsException in the java program.
@universalperson2 жыл бұрын
I actually worked with programs that use log4j, and found it clunky and cumbersome to use with the programs I was delevoping. I didn't know it was so widespread. So is this bug like that xckd comic about Robert"); Drop Tables Students? Because it sounds like it.
@MolOlsson2 жыл бұрын
More like xkcd 2347: Dependency. All modern infrastructure is built on a project someone thanklessly maintains in their free time :( And this vuln vas known as far back as BlackHat 2016.
@demoniack812 жыл бұрын
How dooes one find log4j "cumbersome"? It's literally one jar and one .properties / .xml config file and off you go.
@universalperson2 жыл бұрын
@@demoniack81 it's been a while so I forgot the details, but whatever logging setup we had just did not work properly when we updated log4j, and a lot of the log messages had to be rewritten or changed just so the files would be generated and logged to. And my company had this overly complicated standard that log messages had to follow but didn't quite tell us how to make it display properly with log4j - when the older system was already doing so. So many bugs that were "this log is not displaying the error message properly", and I'd have to track down and fix it because there was some variable that needed updating.
@melkileo2 жыл бұрын
It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to
@Johna412232 жыл бұрын
Everytime I look at these vulnerabilities I am always surprised by how seemingly simple they are. Computers are weird, man…
@xl83732 жыл бұрын
Great demonstration , thank you !
@victorburnett63292 жыл бұрын
Wow, that is a pretty glaring vulnerability. Amazing it's only just been discovered.
@ralkey2 жыл бұрын
Actually, I want to know how this was still a vulnerability in the first place. It should be pretty obvious that ${...} is a bad thing, especially combined with jndi. It just makes me wonder how they did not think of this before.
@matisowagm2 жыл бұрын
Exactly. If I knew about this feature of log4j (I dont do java), it would immediately raise concern. String templates (format strings, f strings, etc.) should NEVER be evaluated by the program itself.
@Burgundy_towel2 жыл бұрын
Thanks for such layman explanation, I was able to grasp it..
@Pcatalin662 жыл бұрын
${variable} is EL expression for server scripting. Looks similar with string interpolation from c# : $"{yourVarHere}"
@MCdeltaT-2 жыл бұрын
I think the reason no one's explaing it is because they don't want to give any malicious people ideas
@Lucofy_20 Жыл бұрын
HOLA CIBERTEC GAAA
@DavisTibbz2 жыл бұрын
First time understanding what this means. Thanks.
@WildWestPros2 жыл бұрын
Thank god you didn’t title this “log4 in layman’s term”
@Robert-pt2jz7 ай бұрын
Hello, i am just curious. I have a statement and would like to know if my logic is correct. The vulnerability is caused due to no input checking in the program, allowing unintentional interaction with the user? Is this a correct way to view this or am i way off base?
@pauberrymon58928 ай бұрын
You just caught another Sub Bub, that was 🐸 toadly 🐸 understandable 😎, in just a couple of minutes.
@kosmonautofficial2962 жыл бұрын
Always cool to see a Marcus video out on a new vuln!
@lancemarchetti86732 жыл бұрын
A C# Blazor platform is apparently a better option to avoid the log4 vulnerability...
@flo0778 Жыл бұрын
I'm only there 1:00. And I can tell that knowing this is how it works, this is not a library I would use by any means. I don't want unintended random string parsing happening randomly in my code.
@hellboykuro2 жыл бұрын
hi can anyone help me when i try to inject any executor in any game it says "This exploit is down while critical ace/rce vuln is fixed" this is on roblox btw
@FloresMenyapa Жыл бұрын
Greetings from Indonesia, I really admire you, and you are great. I'm just a beginner who wants to learn like you from the bottom
@autismspeakz19 күн бұрын
shit's so simple, I can't believe this hasn't been patched 10 years ago immediately
@prasantabanerjee11842 жыл бұрын
Upgrading to 2.15/2.16 version of Log4J resolves this.
@calmeidazim2 жыл бұрын
Thank You Marcus, simple but quiet clear to understand
@vadiks200322 жыл бұрын
i am somewhat of a beginner programmer but i am so glad i'm able to understand so much words. back when i didnt know anything about programming, this entire video would make no sense to me at all but now, instead of simply not understanding what he says, i just... just fucking feel bored i mean like it's awesome vulneratbility which i could use to run rick astley video on somebodys PC or something, but i am not programming such stuff. . . i am simply not programming at all, the only experience i had was in unity
@sushi2slushy2 жыл бұрын
how does an attacker make the call in the first place though? (have access to call the function with the string
@MalwareTechBlog2 жыл бұрын
By controlling some input that gets logged by the application
@andreasMou1232 жыл бұрын
nice demo, thanks!
@iapplethis2 жыл бұрын
and youre telling me they missed this simple hack, lol, they couldnt care less I guess
@valentinpopescu67042 жыл бұрын
How can you set up the LDAP server on localhost and which port to choose?
@stavros2222 жыл бұрын
This allows log4j commands inside a string isnt It? I call this legal cross site scripting
@sonalita_2 жыл бұрын
I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.
@arvidmildner62742 жыл бұрын
As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.
@53kt0r2 жыл бұрын
To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!
@tobi34972 жыл бұрын
This seems like a problem with the user of the library, not the library itself. You should be using `log.error("Hello: {}", username)` not `log.error("Hello: "+ username)`. This is analogous to SQL injection... You need to properly prepare you parameters.
@BruceDuncan2 жыл бұрын
I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!
@WildWestPros2 жыл бұрын
In short, Log4j is a Java library that is used for logging errors and other software activities. ... The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
@wikinoa2 жыл бұрын
Its very simple vulnerability. How anyone hasnt "catch" it until now? At least developers should have made some (unitary) testing before publishing version after version without fixing the issue. Its pretty standard library used all around internet and shouldnt have been taken lightly security-wise.
@luisdawa2 жыл бұрын
Isn't it somewhat similar to SQL Injection?
@mdzen22e2 жыл бұрын
just what am looking for....thx dude
@chickendumpling95952 жыл бұрын
I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me: 1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that? 2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object? 3) what is that on line 8? Is setting that property necessary for this exploit to work? Again, I appreciate highly any response :)
@bdidue69982 жыл бұрын
Lmao how in the hell would novody think that this could exist
@dvanrooyen14342 жыл бұрын
The vulnerability has been around for approximately 9 months - check twitter… likely an intern raised at a standup at one of the fang companies and all of a sudden everything is on fire… also the term you’re looking for is string interpolation, which is a conman programming term ;)
@cool-aquarian2 жыл бұрын
when I try to do same thing in my eclipse using log4j < 2.16, the jndi url is not getting invoked. It is simply printing in log message.. Any clue why ?
@ChrisWrightGuitar2 жыл бұрын
I believe the name you're looking for is "string interpolation".
@MightyElemental2 жыл бұрын
How does something like this go under the radar for so long...
@yuckimusic26705 ай бұрын
Sounds like im listening to a diffrent language lol so interesting
@Naglfar832 жыл бұрын
Nice demonstration, but the code is unreadable on a medium-sized smartphone like mine. Please consider zooming or increasing the font size before uploading.
@halahmilksheikh2 жыл бұрын
When the calculator actually popped up, I laughed out loud.
@majorassault50742 жыл бұрын
I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?
@talbaraz89162 жыл бұрын
The strings you don't know what there are called are actually called lookups just so you know :)
@georgedicu73972 жыл бұрын
${vars} - they are called string interpolations, mainly I guess
@justgiz2 жыл бұрын
so basically its not the logger thats the issue, it's not sanitizing user input. thought this was learned from SQL injection
@demoniack812 жыл бұрын
No, the issue IS the logger. This vulnerability does not exist if you simply print to stdout with the basic Java functions. No one expects a logging library to be WORSE at handling user input than a basic call to System.out.println(). I'm frankly astonished that *anyone* could have ever thought that allowing a JNDI lookup _in a freaking log message_ was a good idea, even just from a performance standpoint. How this got out into production will forever be a mistery to me.
@BTrain-is8ch2 жыл бұрын
@@demoniack81 The real problem is that we can't even count on professionals to be aware of the issues in the OWASP Top 10. Careless handling of user input is playing with fire. In log4j 2.17.0 careless handling of user input is still playing with fire. If you log using println careless handling of user input is still playing with fire. Log4j just happened to be the thing that enabled developers that play with fire to burn themselves this time around. It won't be the last.
@manideepkumar9592 жыл бұрын
Better than java brains log4j explanation,now i understand
@sergedeugoue25692 жыл бұрын
Maybe I'm overlooking things but it seems so obvious. How did this vulnerability take years to discover?
@abhilpnYT2 жыл бұрын
One of the best explanations with practical demo. Thank you ..
@stock992 жыл бұрын
might be good to also include a brief remediation/mitigation strategy so the story has some sort of closure. 2 cents.
@thelineidk2 жыл бұрын
And if I go to 2b2t from my phone, for example, will the exploit work on me? (I play java minecraft on my phone)
@TheGameIsOverCy2 жыл бұрын
Nice explanation ! Thank you :)
@kjn59912 жыл бұрын
0:45 don't know the name in Java jargon, but in Javascript this would be a Template literal / Template string.
@dougiefresh23932 жыл бұрын
“String Interpolation” or “interpolated string”
@das_evoli2 жыл бұрын
Finally no bullshitting around. Straight to the point and understandable for every novice programmer
@rchaykovskiy2 жыл бұрын
0:47 this is called „string interpolation“ and it‘s not a java-thing only
@patrickmcevoy17762 жыл бұрын
Isn't 1.8 not vulnerable from the exploit though?
@florian5382 жыл бұрын
Could you solve this issue by looking for an outcommenting the feature in the log4j library?
@DalBileAbas7 ай бұрын
Thanks for simplifying the vulnerability
@ewerybody2 жыл бұрын
Wasn't the base64 an extra indirection? The class you're loading can't pop Calc.exe directly? 🙄
@10F2C2 жыл бұрын
After log4shell there's now Follina
@EdwardInTX Жыл бұрын
thank you!
@freekdeman2 жыл бұрын
Thanks, really helpful.
@antran44652 жыл бұрын
I really want to put the joke: “Thanks Marcus, now I got a million dollars”, but that seems to be a very risky move these days.
@n3rd4lyff2 жыл бұрын
In regards to 0:46, this is called string interpolation :)
@masettyvivek81552 жыл бұрын
This is one of the great demonstrations I have listened on KZbin. You are amazing!!
@MH-oc4de2 жыл бұрын
To be clear, it's the log4j logger that is doing the ${variable} expansion, and not the shell (?) e.g., if you print out username within the code it is not a problem, but log4j is (somehow) executing it ? Thanks!
@MalwareTechBlog2 жыл бұрын
Correct
@tuananhtass36932 жыл бұрын
tks, Marcus!
@umeshdhaked76382 жыл бұрын
We lucky, we use Go Lang.
@Melpheos1er2 жыл бұрын
This is the worse vulnerability released in the past few years
@TreeFrogOnATree2 жыл бұрын
well, well that's really interesting thanks for uploading!
@traxooza2 жыл бұрын
Coming from a C++ background, I can't see why the code in "username" gets evaluated. Is it because log4j triggers this evaluation somehow ? Why would it do that ?
@scarletdice2 жыл бұрын
correct, log4j evaluates the variable that is wrapped around by ${...} (its own syntax for string interpolation). That and combined by some remote JNDI lookup/mechanism within the library itself, a feature that they claimed were needed for backward compatibility purposes (??). Note that JNDI is a standard in Java that allows remote object load/lookup (!!).