My Research into Log4Shell

So I’m almost done with high school. Got like 5 months left. I’ve chosen my senior project to be something about cybersecurity, as that’s definitely a field I’m interested in (although I’m planning for a computer engineering degree). So I chose to get started with a major exploit from last December: Log4Shell.

Log4Shell is best described in this writeup from CVEdetails. Basically, Log4j is a Java framework for logging all sorts of things, and sometimes you need to log a username or something, for which Log4J has a feature that allows it to reach out to an LDAP server for data. However, this server can be attacker controlled, and anyone that can craft a special log message can get the victim computer to run arbitrary code remotely (RCE bug).Yes, this is the "official" logo of Log4Shell.

I took it upon myself to execute this vulnerability myself, using everyone’s favorite block game: Minecraft. I started with a Kali Linux VM, running marshalsec and a basic HTTP server, for controlling my own LDAP server and hosting payloads.
I then spun up a victim VM, this one running standard Windows 10. There are only 3 things wrong with this machine: It has a vulnerable, outdated version of Java (8u112), it has an vulnerable version of PaperMC (1.8.8-443), and Windows Defender is turned off. While this setup would not appear in the wild very often, it is important to remember that less than 2 months ago, even new versions of PaperMC (and other software) were vulnerable to this.
My video goes into much more detail than this post.

While this vulnerability may seem niche and hard to find in the wild, it’s important to remember that many people just don’t update their software for whatever reason, and could be several versions behind. (Yeah dad, please update your phone when it prompts you.) While I won’t go into the same level of detail that my video does, I’ll give the gist of how I pulled this off.

  1. Log into minecraft server
  2. Issue specially crafted chat message
  3. Server attempts to log message, vulnerability has it reach out to LDAP server
  4. LDAP server refers to HTTP server hosting malicious class file
  5. Malicious class file runs arbitrary code - in my case downloads and installs Quasar RAT

That’s about it. Update your software. Keep your antivirus on. Don’t click sketchy links (looking at you, Mom). Make sure your “mp3” doesn’t end in .exe.

Github link to scripts I used for my demo at school.
I also based a lot of this off of this rather clickbait-sounding video.

This post is licensed under CC BY 4.0 by the author.