Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mrjameshamilton/log4shell-detector

A log4shell detector using ProGuardCORE
https://github.com/mrjameshamilton/log4shell-detector

cve-2021-44228 detector log4j log4shell proguard-core security

Last synced: about 6 hours ago
JSON representation

A log4shell detector using ProGuardCORE

Host: GitHub
URL: https://github.com/mrjameshamilton/log4shell-detector
Owner: mrjameshamilton
License: apache-2.0
Created: 2022-01-10T18:52:04.000Z (almost 3 years ago)
Default Branch: master
Last Pushed: 2022-08-05T14:49:03.000Z (over 2 years ago)
Last Synced: 2023-08-13T11:32:22.568Z (about 1 year ago)
Topics: cve-2021-44228, detector, log4j, log4shell, proguard-core, security
Language: Kotlin
Homepage:
Size: 77.1 KB
Stars: 5
Watchers: 2
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Log4Shell detector

Yet another log4shell detector, similar to [log4jscanner](https://github.com/google/log4jscanner),

[log4j-detector](https://github.com/mergebase/log4j-detector) etc but built with [ProGuardCORE](https://github.com/Guardsquare/proguard-core).

It detects the usage of log4j versions vulnerable to CVE-2021-44228. 

For more information about the vulnerability see [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8984) 

and [Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html).

# Executing

You can download the [release distribution](https://github.com/mrjameshamilton/log4shell-detector/releases/tag/v1.0.0), extract and run the shell/bat script. The input can be a jar file, class file, directory, Android aar or Android apk.

```

$ bin/log4shell-detector 

```

Or you can clone this repository and execute via Gradle:

```bash

$ ./gradlew run --args=/path/to/my.jar

```

# Building

The application can be built from source via Gradle:

```

$ ./gradlew build

```

This will generate distribution archives in the `build/distributions` directory.

# How does it work?

The detector looks for a specific constructor that appears in log4j < 2.15.0,

similar to [this Yara rule](https://github.com/darkarnium/Log4j-CVE-Detect/blob/main/rules/vulnerability/log4j/CVE-2021-44228.yar).

[ProGuardCORE](https://github.com/Guardsquare/proguard-core) is used to parse the input, and a combination of class and member

filters are used to look for the specific constructor.

[dex2jar](https://github.com/pxb1988/dex2jar) is used to convert dex files in Android APKs files to class files.

# Shadow packed log4j

Shadow packed versions of log4j should be detected, for example if

the log4j package is renamed to `com/example/org/apache/logging/log4j`.

# Obfuscated applications

If an application is obfuscated then the detector may not detect the vulnerability,

since it is name based.