https://github.com/kallsyms/log4shell-detector

https://github.com/kallsyms/log4shell-detector

Last synced: 2 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/kallsyms/log4shell-detector
• Owner: kallsyms
• License: gpl-3.0
• Created: 2021-12-13T03:13:03.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2021-12-13T06:53:08.000Z (over 3 years ago)
• Last Synced: 2025-01-20T22:55:36.325Z (4 months ago)
• Language: Go
• Size: 20.5 KB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# log4shell-detector

Proof-of-concept detector for exploitation of log4shell happening with a LDAP JNDI service provider.

This inspects network traffic coming from any `java` processes, and compares the sends to what the [lookup code generates](https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/fa3ecefdd6eb14a910ae75b7c0aefb1cf8eedcce/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java#L1354).

Tested against a local environment being "exploited" using

* [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)

* [https://github.com/tangxiaofeng7/apache-log4j-poc](https://github.com/tangxiaofeng7/apache-log4j-poc)

## Caveats

Since this is looking specifically for LDAP traffic it:

* May create false-positives if other Java code/applications happens to do this exact same LDAP search request

* Cannot detect exploitation using a LDAPS (LDAP over SSL/TLS) provider

* Cannot detect exploitation using any other [potentially vulnerable provider](https://sourcegraph.com/search?q=context:global+%28repo:AdoptOpenJDK/openjdk-jdk11u+OR+repo:AdoptOpenJDK/openjdk-jdk8%29+public+class.*URLContextFactory&patternType=regexp)

* Cannot detect simple envvar exfiltration going on using any provider (e.g. as mentioned [here](https://twitter.com/log4j2rce/status/1469799982630944770))

And finally, due to the way this hooks network traffic it's (currently) unable to provide the target hostname/IP that the LDAP connection was made to. It can only tell what Java process made the suspicious connection.

## Alternative Things

* [Logout4Shell](https://github.com/Cybereason/Logout4Shell) and [Amazon's hotpatch](https://github.com/corretto/hotpatch-for-apache-log4j2) dynamically patch the main "bad" function (`lookup`) in a running JVM instance to varying extents.