Share this page!

Rob Fuller Profile picture
Twitter logo
14 Dec, 12 tweets, 3 min read
10 #Log4Shell Facts vs Fiction: a 🧵
1. 1.x is NOT vuln to this RCE. While it doesn't have another RCE, it requires access to send serialized data to a listener ON the log server. This is much MUCH harder to exploit and kind of rare for a Log4j server to be running.
2. #Log4Shell attacks can show up hours after the trigger is sent. We are just starting to understand how deep this rabbit hole goes. I personally had BurpCollaborator and CanaryTokens hit 6-8 hours after they were sent.
3. It's not just web servers that are vulnerable. All the avenues that attackers are still being researched. I have seen SSID AP names, email headers, usernames on social media, Pastebin file names, book reviews, SMS, trouble tickets, and pull requests with attack strings.
4. It's a library, you can NOT 100% confirm this via a list of "installed" software. The JAR file can be anywhere. It's OSS, so it can be compiled by anyone, so hash lists (like my own) don't work well. BUT the developer has versions in the file name, which is a godsend.
5. JNDI RMI/LDAP requests CAN use proxy settings, but most of time they won't, so egress filtering blocks a lot of attack attempts. There are very few reasons why an internal server needs to make requests to the Internet (outside of software update services). Use allow lists!
6. What makes exploitation particularly hard to find in IR is that if the exploitation is successful, the JDNI string is NOT actually logged (because it's interpreted by the Log4j logger). You are looking for blank spots in your logs...
7. Just because a vendor says they aren't vulnerable doesn't mean they aren't. This is a 96 hour old bug in the eyes of many and it takes time to be sure. See number 4.
8. Web Application Firewalls are doing a very good jobs at blocking attacks against web services. Just because there are bypasses for them, doesn't mean they aren't blocking the majority of attacks. Bypasses get used and added to blocks pretty quickly. Think AV.
9. If you are a pentester/bug bounty researcher/red teamer, you should NOT be using public services to exfiltrate secrets over unencrypted channels to websites that you do not control. You have no idea what they are doing with your customer's data.
10. Ripping the class file out of the JAR, or functionality out of active running Java programs could be a great band-aide, but it may break software updates or SBOMs in the future. It may also introduce instability in the application.
Of course I mess up #1. While 1.x DOES have another RCE, it's rough to exploit.
Correction to number 6: @zaicurity @jstnkndy and @d0nutptr all are saying that this is not the case in their testing. I’ll do more testing when I have time but I trust them that this statement is false. I only tested 3 apps and that is definitely not representative.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Rob Fuller

Rob Fuller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mubix

Rob Fuller Profile picture
27 Mar 20
How to deal with impostor syndrome:

Step 1: Identify exactly what you feel you are lacking skill or information in. No abstracts, no "better at this"

Step 2: Write it DOWN on PAPER, no digital forms. There is a lot psychology behind this.

Step 3: Identify steps to get there.
Step 4: No excuses. Procrastination is evil, and excuses are its weapon. I get it; you have life responsibilities and other things that take up your time. Find the time. Get rid of that mobile game, read during lunch, during trips to the bathroom. You have time. Optimize it.
Step 5: In this, ignore everyone else's journey in life. Everyone has different advantages, disadvantages, and starting points. We didn't all start at the same date and time. Why do you feel like an impostor when the person you are pointing at as an example has more time/etc in?
Read 6 tweets
Rob Fuller Profile picture
19 Jan 20
I want to make something very clear to the #infosec community. Just because you aren't deeply technical, a pentester, a red teamer, a forensics expert, or RE wiz doesn't mean that you can't teach people things. Everyone's life experiences are different and the more we 1/4
share knowledge, the better we all become. Even if it's your first week on the job in a SOC and you see how a piece of malware installs sticky keys, or your a manager who manages 10 red teamers but have never popped a shell, you have experiences that the majority of us 2/4
haven't seen or done personally. There is a lot of bravado out there. Many people speak on popping shells & APT like they are experts, that aren't, but when you share experience, real experience, we all get better. Shared knowledge, infinite curiosity, this is what it means 3/4
Read 4 tweets
Rob Fuller Profile picture
2 May 19
Next up is @aionescu @pwissenlit and @yarden_shafir
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @mubix has new unrolls!

Check out other threads from @mubix!

Read all threads by @mubix

:(