Can we find Log4Shell with Java Fuzzing? 🔥 (CVE-2021-44228 - Log4j RCE)

preview_player
Показать описание

In this video, I'm trying to find the famous java Log4Shell RCE (CVE-2021-44228) using fuzzing. I'm targeting apache log4j2 version 2.14.1 and I'm using Jazzer, the Java fuzzer developed by Code Intelligence. I will show and give you everything to reproduce the same at home ;)
Don't forget to patch the apache log4j vulnerability by switching to version log4j 2.15.0 or 2.16.0.

#Fuzzing #log4j #Log4Shell

00:00 Introduction
03:58 Jazzer: the best Java fuzzer
05:22 Fuzzing harness
07:38 Run the fuzzer
10:30 Why we are not finding the Log4Shell?
16:33 Final words

Links:

==== 💻 FuzzingLabs Training ====

==== 🦄 Join the community ====

==== 📡 Socials ====

Keywords: Fuzzing, Fuzz Testing, Java, Jazzer, Log4Shell, log4j, log4j2, RCE, CVE-2021-44228
  1. FuzzingLabs
  2. java fuzzing
  3. log4j rce
  4. java fuzz testing
  5. java fuzzer
  6. jazzer fuzzer
Рекомендации по теме
Can we find 0:18:34

Can we find Log4Shell with Java Fuzzing? 🔥 (CVE-2021-44228 - Log4j RCE)

Log4Shell Explained - 0:00:59

Log4Shell Explained - Part 1

How Hackers Exploit 0:08:42

How Hackers Exploit Log4J to Get a Reverse Shell (Ghidra Log4Shell Demo) | HakByte

How to Find 0:04:35

How to Find the Log4j Vulnerability Using Syft and Grype

Apache Log4j: The 0:15:41

Apache Log4j: The Exploit that Almost Killed the Internet

[Demo] Apache Log4j 0:02:53

[Demo] Apache Log4j (Log4Shell) Vulnerability – How to discover, detect and protect

Hunt for Log4Shell 0:00:48

Hunt for Log4Shell with Azure Sentinel, the fastest way, find obfuscations

Log4j (CVE-2021-44228) RCE 0:03:44

Log4j (CVE-2021-44228) RCE Vulnerability Explained

Log4J Vulnerability (Log4Shell) 0:20:50

Log4J Vulnerability (Log4Shell) Explained - for Java developers

Log4Shell Explained - 0:00:57

Log4Shell Explained - Part 2

What do you 0:44:55

What do you need to know about the log4j (Log4Shell) vulnerability?

[Demo] Apache Log4j 0:03:14

[Demo] Apache Log4j (Log4Shell) Vulnerability – How to use Cloud One to discover, detect and protect...

Log4J and JNDI 0:07:55

Log4J and JNDI Exploit Explained - Log4Shell

Log4j Lookups in 0:16:07

Log4j Lookups in Depth // Log4Shell CVE-2021-44228 - Part 2

Log4Shell & Log4j 0:10:25

Log4Shell & Log4j Explained - ThreatWire

Log4J - CVE 0:45:40

Log4J - CVE 2021-44228 (Log4Shell) - Exploitation & Mitigation

Detecting Log4J activity 0:12:09

Detecting Log4J activity with just QNI. Part One

Log4j Vulnerability (Log4Shell) 0:17:44

Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228

How Log4J Works 0:20:13

How Log4J Works and Detecting It In Your Environment (DEMO AND TOOLS)

CVE-2021-44228 - Log4j 0:34:52

CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE)

Log4j Vulnerability Could 0:09:34

Log4j Vulnerability Could Give Hackers Control Over Millions of Devices

Can We Find 0:08:40

Can We Find a New Exploit Strategy? | Ep. 13

Apache Log4j (Log4Shell) 0:02:53

Apache Log4j (Log4Shell) Vulnerability – DEMO How to discover, detect and protect

log4shell Explained | 0:19:26

log4shell Explained | What, Why & How | Hacking using log4j vulnerability

Комментарии
Автор

hey patrick, thanks for the video, very informative! keep on fuzzing ;-)

xca
Автор

LAST MINUTE UPDATE: Jazzer has been updated to detect such vulnerabilities

fuzzinglabs
Автор

I tip is to use -close_fd_mask=1 as argument when running this. This will close stdout and you will get a lot better execution speed.

trexake
Автор

Hey! your advice helped me! i started using phaser zest for java.
mvn test-compile >>
and
mvn jqf: fuzz -Dclass = foobazbar -Dmethod = testmethod -Dtime = 100500m
here is my question:
if with simple types such as integer or long everything is ok
you can set the range @InRange (min = "8", max = "13") int _value

how do i change the input fuzzer with string ???
otherwise he throws me mostly in Chinese))

love from russia :) and happy new year)🦢🦢🦢

dt_sevatarion