Sophos X-Ops Profile picture
Dec 17, 2021 21 tweets 9 min read Read on X
NEW on #Log4Shell...

Inside the code: How the Log4Shell exploit works

1/21
The critical vulnerability in Apache’s #Log4j Java-based logging utility (CVE-2021-44248) has been called the “most critical vulnerability of the last decade.”

The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4j’s maintainers have published two new versions since the bug was discovered—the second completely eliminating the feature that made the exploit possible in the first place. 3/21
👉 How Log4j logging works

Log4j outputs logging events using TTCCLayout: time, thread, category and context information. By default, it uses the below pictured pattern.

Here, %r outputs the time elapsed in milliseconds since the program was started; 4/21
%t is the thread, %p is priority of the event, %c is the category, %x is the nested diagnostic context associated with the thread generating the event, and %m is for application-supplied messages associated with the event. 5/21
It’s this final field where our vulnerability comes into play.

The vulnerability can be exploited when the “logger.error()” function is called with a message parameter that includes a JNDI URL (“jndi:dns://”, “jndi:ldap://”, or... 6/21
...any of the other JNDI defined interfaces discussed in our previous post).

When that URL is passed, a JNDI “lookup” will be called which can lead to remote code execution. 7/21
To replicate the vulnerability, we looked at one of the many proofs of concept, which replicates how many applications interact with Log4j.

In the code for logger/src/main/java/logger/App.java in this PoC, we can see that it calls logger.error() with a message parameter. 8/21
For debugging purposes, we changed the message to a test URL that uses DNS with JNDI (built with the Interactsh tool) to pass it as a parameter to the “logger.error()” function and stepped through the program. 9/21
We can see that after calling “logger.error()” method from “AbstractLogger” class with crafted URL, another method is called which is “logMessage”

The log.message method creates a message object with the provided URL. 10/21
Next, it calls “processLogEvent” from “LoggerConfig” class, to log the event.

Then it calls the “append” method from “AbstractOutputStreamAppender” class, which appends the message to the log. 11/21
👉 Where the badness happens

This in turns, calls “directEncodeEvent” method.

The directEncodeEvent method in turn calls the “getLayout().Encode” method, which formats the log message and adds the provided parameter— which is in this case the test exploit URL. 12/21
It then creates a new “StringBuilder” Object.

StringBuilder calls the “format” method from “MessagePatternConvert” class and parses the supplied URL, it looks for ‘$’ and ‘{’ to identify the URL. 13/21
After that it tries to identify various Name and values which are separated by ‘:’ or ‘-’:

Then it calls for “resolveVariable” method from “StrSubstitutor” class which will identify the Variables, it can be any of the following: 14/21
The code then calls the “lookup” method from the “Interpolator” class which will check the service associated with the variable (in this case, “jndi”)

Finding “jndi”, it calls the “lookup” method from the “jndiManager” class, which evaluates the value of the JNDI resource. 15/21
After that, it calls for “getURLOrDefaultInitCtx” from “IntialContext” class. This is where it creates the request that will be sent to the JNDI interface to retrieve context, depending on the URL provided. This is where the exploit begins to kick in. 16/21
In the case of a DNS URL, as this fires, we can see a DNS query to the provided URL with Wireshark.

(This is a test URL, and not actually malicious)

If URL is ‘jndi:ldap://’ it calls another method from “ldapURLConext” class to check if URL has “queryComponents”. 17/21
After that it calls “lookup” method in “ldapURLContext” class, “name” variable here contains the ldap URL.

This in turn connects with the ldap “ provided. 18/21
Then “flushBuffer” method will be called from “OutputStreamManager” class, here ‘buf’ contains the data returned from LDAP server, in this case the “mmm….” string we see below.

Looking at the packet capture in Wireshark, we see the request has the following bytes. 19/21
This is the serialized data and this will be displayed by the client as we can see below which shows that the vulnerability was exploited, notice the “[main] ERROR logger .App” string in the message followed by data. 20/21
See more details and Sophos coverage in the article from @thepacketrat and @hardik05...

news.sophos.com/en-us/2021/12/…

21/21

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sophos X-Ops

Sophos X-Ops Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosXOps

Mar 13
Every year, Sophos X-Ops releases its annual threat report. This year, however, we took a slightly different approach. Rather than looking at the landscape as a whole, we zoned in on the biggest cybercrime threats to SMBs.
A look at SophosLabs telemetry showed that the number one challenge for SMBs is data protection—which isn’t too surprising. Data and credential theft have become increasingly common, with attackers using the data for ransomware or unauthorized remote access.
Nearly 50% of all malware detections for SMBs were keyloggers/spyware/stealers. We also found multiple advertisements on the dark web from IABs specifically targeting SMBs or selling access to SMB networks. Image
Read 10 tweets
Mar 4
Threat actors often use Bring Your Own Vulnerable Driver (BYOVD) attacks – where they abuse vulnerable drivers to gain privileges on a compromised machine – to terminate EDR solutions.
Lots of drivers exist that can be abused in this way, and several threat actor groups (we've previously reported on Robbinhood, BlackByte, and other ransomware actors) routinely use this technique.
One BYOVD tool that got some attention in 2023 was Terminator. A threat actor was selling this tool to other criminals on underground forums. Researchers found that Terminator used a legitimate signed driver (called Zemana Anti Malware, or ZAM).
Read 18 tweets
Mar 1
We’ve seen three more incidents of attackers attempting to move deeper into customer networks after exploiting a vulnerability in ConnectWise' ScreenConnect server. Two appeared to be from the same threat actor. /1
In one, the attacker attempted to execute some commands for reconnaissance on the ScreenConnect server, using PowerShell to try to run getlocaluser (to obtain a list of local user accounts on the server) and ipconfig (to get the local network interface information). /2
The actor behind the other incidents was much more persistent. In the second incident, they first attempted to disable Sophos endpoint protection. Then they attempted to install a Cloudflare Tunnel client to be used as a backdoor, downloading it from Cloudflare’s GitHub page. /3
Read 8 tweets
Feb 21
While the world digests what, precisely, the LockBit takedown this week entails and how much it’s likely to kneecap the ransomware gang, we’d just like to point out how prevalent the family is – literally, what Conti was to 2021, LockBit was to 2023. 1/11
Here’s a graphic from our upcoming Active Adversary Report , showing precisely how, as seen by the Sophos X-Ops Incident Response team, Conti in 2021 and LockBit in 2023 represented literally double the volume of infections of the nearest “competitors .” 2/11 Image
Back then, Conti was so widespread that even with its shutdown in early 2022, it *still* accounted for nearly 5% of the ransomware cases the IR team tackled. 3/11
Read 11 tweets
Sep 18, 2023
Last year, Sophos X-Ops uncovered a growing number of "liquidity mining" scams—a type of cryptofraud that takes advantage of mobile crypto wallets and decentralized finance (DeFI) apps. While we saw dozens of these last year, we're now seeing 100s of more sophisticated scams. /1
While the scams we first encountered were fairly simple in their attempts to convince targets to join their fraudulent “mining pools”, we have seen liquidity mining scams adopt Sha Zhu Pan (pig butchering) tactics to siphon funds from their victims. /2 Image
Real liquidity pools involve creating a pool of different types of cryptocurrencies for trades, and participants receive a percentage of every fee paid for a trade. Fake pools pretend to operate in the same way—until the scammers pull all the funds from the victims’ wallets./3 Image
Read 9 tweets
Aug 25, 2023
Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched Citrix NetScaler systems exposed to the internet. Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs.
In the mid-August attack, once the target system was infected, the attackers used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack.
nvd.nist.gov/vuln/detail/CV…
Later stages of that attack included behaviors such as:
- Payload injection into wuauclt.exe or wmiprvse.exe
- Use of BlueVPS ASN 62005 for malware staging and a C2 IP address (45.66.248[.]189)
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(