👉 How Log4j logging works

Log4j outputs logging events using TTCCLayout: time, thread, category and context information. By default, it uses the below pictured pattern.

Here, %r outputs the time elapsed in milliseconds since the program was started; 4/21

To replicate the vulnerability, we looked at one of the many proofs of concept, which replicates how many applications interact with Log4j.

In the code for logger/src/main/java/logger/App.java in this PoC, we can see that it calls logger.error() with a message parameter. 8/21

For debugging purposes, we changed the message to a test URL that uses DNS with JNDI (built with the Interactsh tool) to pass it as a parameter to the “logger.error()” function and stepped through the program. 9/21

We can see that after calling “logger.error()” method from “AbstractLogger” class with crafted URL, another method is called which is “logMessage”

The log.message method creates a message object with the provided URL. 10/21

Next, it calls “processLogEvent” from “LoggerConfig” class, to log the event.

Then it calls the “append” method from “AbstractOutputStreamAppender” class, which appends the message to the log. 11/21

👉 Where the badness happens

This in turns, calls “directEncodeEvent” method.

The directEncodeEvent method in turn calls the “getLayout().Encode” method, which formats the log message and adds the provided parameter— which is in this case the test exploit URL. 12/21

It then creates a new “StringBuilder” Object.

StringBuilder calls the “format” method from “MessagePatternConvert” class and parses the supplied URL, it looks for ‘$’ and ‘{’ to identify the URL. 13/21

After that it tries to identify various Name and values which are separated by ‘:’ or ‘-’:

Then it calls for “resolveVariable” method from “StrSubstitutor” class which will identify the Variables, it can be any of the following: 14/21

The code then calls the “lookup” method from the “Interpolator” class which will check the service associated with the variable (in this case, “jndi”)

Finding “jndi”, it calls the “lookup” method from the “jndiManager” class, which evaluates the value of the JNDI resource. 15/21

After that, it calls for “getURLOrDefaultInitCtx” from “IntialContext” class. This is where it creates the request that will be sent to the JNDI interface to retrieve context, depending on the URL provided. This is where the exploit begins to kick in. 16/21

In the case of a DNS URL, as this fires, we can see a DNS query to the provided URL with Wireshark.

(This is a test URL, and not actually malicious)

If URL is ‘jndi:ldap://’ it calls another method from “ldapURLConext” class to check if URL has “queryComponents”. 17/21

After that it calls “lookup” method in “ldapURLContext” class, “name” variable here contains the ldap URL.

This in turn connects with the ldap “ provided. 18/21

Then “flushBuffer” method will be called from “OutputStreamManager” class, here ‘buf’ contains the data returned from LDAP server, in this case the “mmm….” string we see below.

Looking at the packet capture in Wireshark, we see the request has the following bytes. 19/21

This is the serialized data and this will be displayed by the client as we can see below which shows that the vulnerability was exploited, notice the “[main] ERROR logger .App” string in the message followed by data. 20/21