Fuzzing Java to Find Log4j Vulnerability - CVE-2021-45046

preview_player
Показать описание
After the log4shell (CVE-2021-44228) vulnerability was patched with version 2.15, another CVE was filed. Apparently log4j was still vulnerable in some cases to a denial of service. However it turned out that on some systems, the issue can still lead to a remote code execution. In this video we use the Java fuzzer Jazzer to find a bypass.

00:00 - Intro
00:54 - Chapter #1: The New CVE
03:38 - Chapter #2: Disable Lookups
05:43 - Chapter #3: Vulnerable log4j Configs
07:52 - Chapter #4: The Remote Code Execution
10:53 - Chapter #5: Parser Differential
12:57 - Chapter #6: Differential Fuzzing
16:07 - Chapter #7: macOS Only
18:15 - Chapter #8: Increase Impact
19:03 - Summary
19:58 - Outro

-=[ ❤️ Support ]=-

-=[ 🐕 Social ]=-

  1. LiveOverflow
  2. Live Overflow
  3. liveoverflow
  4. hacking tutorial
  5. how to hack
  6. exploit tutorial
Рекомендации по теме
Fuzzing Java to 0:20:19

Fuzzing Java to Find Log4j Vulnerability - CVE-2021-45046

Can we find 0:18:34

Can we find Log4Shell with Java Fuzzing? 🔥 (CVE-2021-44228 - Log4j RCE)

Automated Fuzzing | How 0:37:26

Automated Fuzzing | How You Can Find the Log4j Vulnerability in Less Than 10 Minutes

Fuzzing Java code 0:22:04

Fuzzing Java code (JSoup) using Jazzer fuzzer - Java Security

Automatically detecting log4j 0:13:33

Automatically detecting log4j vulnerabilities in your IT | #CMKduo Episode 1

What is Log4Shell 0:08:27

What is Log4Shell (Log4J RCE) and why does it matter?

How To Find 0:06:27

How To Find Log4j vulnerability on multiple Urls 2022 | Live Testing by #Hacktube #log4j

Another Log4j Vulnerability 0:05:14

Another Log4j Vulnerability and The CIS Response Playbook

Log4j 0:01:02

Log4j

Log4J - CVE 0:45:40

Log4J - CVE 2021-44228 (Log4Shell) - Exploitation & Mitigation

How to find 0:00:49

How to find which devices are affected by Log4j with Cybellum

Log4j Lookups in 0:16:07

Log4j Lookups in Depth // Log4Shell CVE-2021-44228 - Part 2

Solar, exploiting log4j 0:04:53

Solar, exploiting log4j from 'Tryhackme'

TryHackMe - 'Solar' 0:53:51

TryHackMe - 'Solar' Leveraging Log4j Exploit and Mitigation

Writing A Java 0:00:47

Writing A Java Security Test in Less Than A Minute

Learn How to 0:11:19

Learn How to Fuzz Your Rust Code in 10 Minutes

Santa brought us 0:45:11

Santa brought us a 0-day?! Unauthenticated RCE in critical Java logging utility Log4j

Log4J vulnerability | 0:26:04

Log4J vulnerability | Live Demonstration & Lab Configuration | Practical - Part 1

*Bonus* Log4J: What 0:25:28

*Bonus* Log4J: What You Need to Know and How To Respond

2022 - Introduction 1:05:27

2022 - Introduction to modern fuzzing

Create a log4j 0:19:16

Create a log4j App and Hack It | CVE-2021-44228

Apache Struts2 Log4j 0:02:16

Apache Struts2 Log4j RCE | 0day | CVE-2021-44228 | POC | Log4shell | log4j vulnerability

Finding Buffer Overflow 0:10:06

Finding Buffer Overflow with Fuzzing | Ep. 04

Going Beyond Unit 0:42:45

Going Beyond Unit Testing | How to Uncover Blind Spots in your Java Code with Fuzzing

Комментарии
Автор

As a dev I never thought of security in such detail, but after watching this channel I have been practicing to analyse my code for vulnerability and avoid developing features that can be used as vulnerability in combination.
My favourite approach is to never make a magic function.
Thank you!

rinzler_d_vicky
Автор

As a professional Java developer, I have never once heard someone call log4j "Log Forge". And considering the name literally means "Log for Java", I would argue anyone saying "Log Forge" is wrong. Although i suppose this is probably just another gif situation lol

FaultyMuse
Автор

Now you just need to put a sudoedit payload in a log4j injection xD

VLS-Why
Автор

For anyone wondering how did they fix this difference in URI parsing behaviours -> They didn't. They just completely removed the whitelisting checks and restricted the whole shebang to only `java` scheme, so no LDAP URIs would pass through.

Dndo
Автор

Great dive into this CVE, since I don’t work with Java I took this one as an FYI so it’s great to come across an easily digestible report on it. 😄

EER
Автор

Missed opportunity to play some jazz while the fuzzer runs. Thanks for the video.

jrmiasmg
Автор

It's always worth it.. watching the content you make.

koooqgg
Автор

Jazzer looks neat - thanks for the reference.

logiciananimal
Автор

Great video, thank you!
I feel something is missing in the video - still nor clear why MacOS and alpine are affected? Maybe other operating systems? Why?
Probably because of different libc implementations that provide DNS resolution functionality.

PavelTimofeev
Автор

Training to be a Java SDET and we're covering Log4J tomorrow..time to learn beforehand haha

ThistleBlue
Автор

Wünsch mir mehr java videos von dir. Weiß du machst nicht viel mit Java, aber es ist relevanter für Programmierer (weil beliebte Sprache). Keep up the good Content junge

kallocainsynthemesc
Автор

18:10 'Z'ystems :D 🇩🇪
continuing the sentence they become system again :D

eebba
Автор

This was a fruitful collaboration. Thanks @liveoverflow for the insights. It's always amazing to see top hackers coming together!

MuhammadBinZafar
Автор

Just curious if you have noticed CVE-2017-5645? Probably very early sign of the novadays problems

krzysztoflewandowski
Автор

How can you inject your code via this localhost#<something> URLs though? You say "the connection worked" for the other dude, but the connection to what? There clearly can't be a doman like localhost#<my attacker site> - so how did he actually inject something? What did the DNS resolve and how could it resolve anything at all? o_O

MVMn
Автор

thank you very much for this asome video .does Anthony Weems has a youtube channel?

mohamedjames
Автор

8:44
Nah, it doesn't look good, still seems overly complex. Too many nested ifs, this could use the early return pattern. Which you definitely should use whenever you do safety checks, you should return instantly when anything is wrong and do operations only when all is right.

doktoracula
Автор

So, the bypass was found through a parser differential. But it only works on MacOS... Because of a parser differential 😳

Hexcede
Автор

Man Man Man !!! You over simplified that initial statement. I understood this in half sleep.

Mayurdusane
Автор

but woudn't the remote code execution requre that somone actually registers the localhost# domain witch is impossible since it's invalid. Even if someone is running macos and it parses the invalid hostname the dns server shoudn't return anything since the hostname is still invalid. So this is actully not exploitable unless the DNS server is also vunerable or the attacker controls the dns server.

KeinNiemand