Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046)

Показать описание

This video is an explanation of the recent RCE vulnerability in Log4j (CVE-2021-44228, CVE-2021-45046) that affect many Java applications across the whole Internet. Importantly, the initial fix deployed can also be bypassed so even those who patched may still be vulnerable.
From the video, you will learn what is log4j vulnerability is, how to create a log4j exploit to check if your Java app is vulnerable and how to fix the vulnerability before the bad guys detect it.

✉️ Sign up for my newsletter✉️

Sources:

🖥 Get $100 in credits for Digital Ocean 🖥

Follow me on twitter:

Timestamps:
00:00 Intro
00:29 What are JNDI lookups in Log4j?
01:45 Base version of the attack
03:00 The fix for Log4j 2.x before 2.10
03:19 Why fix for versions 2.10 before 2.15 is not working (CVE-2021-45046)
06:09 The fixes and bypasses for Log4j 2.15 (CVE-2021-45046)
08:11 What about version 2.16? (CVE-2021-45105)
08:41 Detecting the vulnerability
10:45 Reproducing the Log4j RCE
12:07 Attacking servers that are firewalled-off

#Log4j

Рекомендации по теме

Комментарии

Welcome to the comment section! I hope this video was useful for you. If it was, make sure to leave a like and check out other videos about real-world vulnerabilities on my channel!

BugBountyReportsExplained

Very nice overview. I've consulted several resources and this one makes it very clear. Thanks.

jozefwoo

I found the Log4J in my client-site (confirmed), I can extract small data via DNS Exfiltrate technique according to your video. Then I try to setup LDAP to get reverse shell, the site can contact to my LDAP but it always get stuck, and I cannot even get reverse shell or create a file in the server. What's the reason?

montala

That was an awesome stuff my dear friend.

melvin

Could I ask about why my server fetch the java class and execute it?
Cause of unserialize?
or others reason?

egao

Nice. Do you have any info about the recent CVE-2021-45105? It recommends to update log4j to 2.17.0

_zrday

Amazing video! Wow great stuff I appreciate it

kosmonautofficial

I just wonder if the log4j library has been used by Oracle (sic) developers in java JVM(JDK) development and has the whole Java ecosystem been compromised? Maybe? Eh? Could it?

atol

I want to contact you for business purpose, any email id?, Unable to contact you on twitter

HackerSumitJi

Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046)

Log4j (CVE-2021-44228) RCE Vulnerability Explained

Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046)

Log4j Remote Code Execution Exploit in Minecraft

Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228

Log4J Vulnerability (Log4Shell) Explained - for Java developers

CVE-2021-44228 aka Log4j RCE Explained

Minecraft Beaten in 0:00.050 Using Log4j Exploit

Log4j Vulnerability Could Give Hackers Control Over Millions of Devices

Log4j vulnerability explained

How Hackers Exploit Log4J to Get a Reverse Shell (Ghidra Log4Shell Demo) | HakByte

Log4J - CVE 2021-44228 (Log4Shell) - Exploitation & Mitigation

CVE-2021-44228 Log4j (Minecraft) RCE Proof-Of-Concept

Apple, Tesla, Minecraft Hacked - Log4j RCE Vulnerability in Java

CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE)

Log4j 'Log4Shell' RCE explained (CVE-2021-44228)

Log4J & JNDI Exploit: Why So Bad? - Computerphile

Log4j Vulnerability explained and fix CVE-2021-44832

Minecraft Java Log4j RCE Vulnerability montage and tutorial

The Scariest Week in Minecraft History

What is the Log4j Vulnerability and How to Protect Against It

Apache log4j Vulnerability Explained

Remote Command Execution Explained and Demonstrated!

Exploits Explained: How Log4j, Buffer Overflows and Other Exploits Work

Log4j Vulnerability explained in detail