Deep scan log4j2 vulnerability using codesec code audit platform

Log4j2 Security vulnerabilities （ Number CVE-2021-44228） It's been more than a month since the incident , However, the harmful effects caused by it are very serious , The major software security vendors made urgent patches for this vulnerability at the first time .

Although the vulnerability was first discovered by Ali , But it's actually a 0day Loophole , This means that long before it was discovered in China , Foreign countries may have exploited this vulnerability for some time .

Log4j2 The flaw may have been discovered long ago

It's not hard to find this security flaw , Use conventional hole digging tools 、SAST（ Static application security testing ） Tools 、SCA（ Software component analysis ） Tools can be dug out , But why hasn't it been paid attention to or exposed ？

in fact , Maybe a lot hackerone Upper “ Security people ” This vulnerability has been discovered long ago , And as a 0day To take advantage of . We usually pay attention to SQL、XSS Etc , It's very easy to understand , And for writing log file , Many people think it's just a log , And the file is on the server , After protection , Most people can't get it .

About how to use JNDI Inject holes , In fact, there are many auxiliary tools available , for example ：Rogue JNDI、JNDIIExploit and JNDI-Injection-Exploit etc. ,Log4j2 After the vulnerability is reported , Many people use these tools to assist in Payload.

In fact, this kind of vulnerability has appeared many times , And included CVE Numbered vulnerabilities include ：CVE-2021-2109 WebLogic LDAP, Remote code execution vulnerability ;CVE-2018-1000130,Jolokia Proxy version 1.3.7 in JNDI Inject holes .

utilize SAST Tool scan Log4j2 Loophole

stay Log4j2 After the vulnerability is reported , The author is at 2022 During the new year's Day holiday in, I did some in-depth research , And try to use a few SAST Tools to verify , See if you can detect Log4j2 Loophole .

After verification , There are several familiar SAST The tool failed to detect the vulnerability , And none of these tools found any information about JNDI Inject vulnerability related detectors （ Which products , I will not explain it directly here ）, While using Fortify 20.1 The version can detect that the vulnerability has 2 It's about .

The first 1 The code location of the vulnerability , The program is in ClientGui.java pass the civil examinations 277 Line runs with an untrusted address JNDI lookup , This could cause an attacker to remotely run arbitrary Java Code .

The first 2 The code location of the vulnerability , The program is in JndiManager.java pass the civil examinations 203 Line runs with an untrusted address JNDI lookup , This could cause an attacker to remotely run arbitrary Java Code .

Domestic tools PK Foreign old brand tools

Fortify As the old SAST Tools , It should be able to detect this vulnerability . But in the current context of autonomous control , I still want to find a localized tool that supports the detection of this vulnerability , Finally, I tried open source network security CodeSec 3.1 Version detection . The test results are very gratifying ,CodeSec 3.1 Also successfully detected Log4j2 Loophole , This shows that the domestic tools also have the advantages of Fortify PK The ability of .

CodeSec Detected 6 individual JNDI Security vulnerabilities , This is an important page , You can see that 6 individual JNDI Inject holes .

By facing up to 6 Analyze the path of vulnerabilities , There are two main paths , Follow Fortify The two detected vulnerabilities are consistent . This explanation CodeSec Not only did it detect Log4j2 Loophole , And the analysis path is more comprehensive .

The first 1 Class location ：

The first 2 Class location ：

Which detected 5 The corresponding trigger points are all in the same position , and Fortify Only 3 individual .

About this loophole Payload There are already many methods on the Internet , You can search for . Here the author draws lessons from SAST Information in the tool , Explain this loophole to everyone ：

JNDI The injection vulnerability is through JNDI Find and use untrusted addresses , This could cause an attacker to remotely run arbitrary Java Code .

If an attacker can control JNDI Address to find and operate on , Then he points the address to the address of the server under his control and JNDI Named references are returned to the with custom object factories RMI Store the object , It is possible to run arbitrary code remotely , Similar to the following example .

Example ： The code in the following example runs with untrustworthy data JNDI lookup .

String address = request.getParameter("address");
Properties props = new Properties();
props.put(Provider_URL, "rmi://secure-server:1099/");
InitialContext ctx = new InitialContext(props);
ctx.lookup(address);

Log4j2 After a security incident , quite a lot SCA The tool has also been upgraded accordingly , hold Log4j2-***.jar Analysis as an open source component . Before the vulnerability is reported , Whether there is a tool to detect this vulnerability is unknown . however Log4j2 It's an open source component , It can be tested as a component , It can also be detected through source code , be relative to SCA,SAST The tool can detect the vulnerability from the source code itself , Detection granularity is finer .

in addition , The author found that CodeSec It is also integrated. SCA function , It can also detect Log4j2 There are two in itself CVE Loophole , Attention should be paid to as soon as possible .

adopt Log4j2 Vulnerability Events , We can see , In the process of R & D , In addition to testing self-developed code , You also need to test the referenced open source components , This is an important node of supply chain security .

Even if you choose SAST Tools do not have SCA function ,SAST The tool itself should also analyze open source components from the source code jar package , It can detect vulnerabilities in open source components at the code level .