GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → darkarnium → Log4j-CVE-Detect

darkarnium / Log4j-CVE-Detect

Licence: BSD-3-Clause license
Detections for CVE-2021-44228 inside of nested binaries

Programming Languages

YARA
70 projects
python
139335 projects - #7 most used programming language
shell
77523 projects

Labels

securitydevopsbinarydetectionscacve-2021-44228cve-2021-45046

Projects that are alternatives of or similar to Log4j-CVE-Detect

log4j-detector
Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
Stars: ✭ 622 (+1784.85%)
Mutual labels:  sca, cve-2021-44228, cve-2021-45046
log4jshield
Log4j Shield - fast ⚡, scalable and easy to use Log4j vulnerability CVE-2021-44228 finder and patcher
Stars: ✭ 13 (-60.61%)
Mutual labels:  cve-2021-44228, cve-2021-45046
logmap
Log4j jndi injection fuzz tool
Stars: ✭ 60 (+81.82%)
Mutual labels:  cve-2021-44228, cve-2021-45046
log4j-scanner
log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Stars: ✭ 1,212 (+3572.73%)
Mutual labels:  cve-2021-44228, cve-2021-45046
log4jscanwin
Log4j Vulnerability Scanner for Windows
Stars: ✭ 142 (+330.3%)
Mutual labels:  cve-2021-44228, cve-2021-45046
log4shell-tools
Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
Stars: ✭ 55 (+66.67%)
Mutual labels:  cve-2021-44228, cve-2021-45046
CVE-2021-44228-PoC-log4j-bypass-words
🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Stars: ✭ 760 (+2203.03%)
Mutual labels:  cve-2021-44228, cve-2021-45046
log4shell-finder
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library. Excellent performance and low memory footprint.
Stars: ✭ 22 (-33.33%)
Mutual labels:  cve-2021-44228, cve-2021-45046
log4shelldetect
Rapidly scan filesystems for Java programs potentially vulnerable to Log4Shell (CVE-2021-44228) or "that Log4j JNDI exploit" by inspecting the class paths inside files
Stars: ✭ 40 (+21.21%)
Mutual labels:  cve-2021-44228, cve-2021-45046
Opennpd
C++ detect and train of "A Fast and Accurate Unconstrained Face Detector".
Stars: ✭ 126 (+281.82%)
Mutual labels:  binary, detection
opencv TLD
TLD:tracking-learning-detection 跟踪算法
Stars: ✭ 41 (+24.24%)
Mutual labels:  detection
RaspberryPi-4WD-Car
Yahboom 4WD smart robot with AI vision features for Raspberry Pi 4B
Stars: ✭ 31 (-6.06%)
Mutual labels:  detection
Binary-Learning
二进制安全相关的学习笔记,感谢滴水逆向的所有老师辛苦教学。
Stars: ✭ 886 (+2584.85%)
Mutual labels:  binary
go-tensorflow-realtime-object-detection
Real-time object detection with Go and Tensorflow
Stars: ✭ 60 (+81.82%)
Mutual labels:  detection
ETWNetMonv3
ETWNetMonv3 is simple C# code for Monitoring TCP Network Connection via ETW & ETWProcessMon/2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.
Stars: ✭ 32 (-3.03%)
Mutual labels:  detection
win-wallpaper
Manage the desktop wallpaper on Windows
Stars: ✭ 62 (+87.88%)
Mutual labels:  binary
crowd density segmentation
The code for preparing the training data for crowd counting / segmentation algorithm.
Stars: ✭ 21 (-36.36%)
Mutual labels:  detection
Perception-of-Autonomous-mobile-robot
Perception of Autonomous mobile robot,Using ROS,rs-lidar-16,By SLAM,Object Detection with Yolov5 Based DNN
Stars: ✭ 40 (+21.21%)
Mutual labels:  detection
GroBuf
Fast binary serializer
Stars: ✭ 56 (+69.7%)
Mutual labels:  binary
ARFaceFilter
Javascript/WebGL lightweight face tracking library designed for augmented reality webcam filters. Features : multiple faces detection, rotation, mouth opening. Various integration examples are provided (Three.js, Babylon.js, FaceSwap, Canvas2D, CSS3D...).
Stars: ✭ 72 (+118.18%)
Mutual labels:  detection
View All Similar Projects ➔

Log4J-CVE-Detect

This repository contains a set of YARA rules for detecting versions of log4j which are vulnerable to CVE-2021-44228, CVE-2021-45046, and / or CVE-2021-45105 by looking for a number of features which appear in affected versions.

This tool works recursively on binary files such as Docker images, system packages, filesystem images, and even installation media. See the "How does it work?" section for a full list of supported file formats.

  • CVE-2021-44228
    • Looks for the signature of a JndiManager constructor (< 2.15.0).
  • CVE-2021-45046
    • Looks for Interpolator classes which do not import JndiManager (< 2.16.0).
  • CVE-2021-45105
    • Looks for AbstractConfiguration classes which do not import ConfigurationStrSubstitutor (< 2.17.0).

Although there is a number of resources available for detecting insecure use of log4j using CodeQL or Semgrep, there have not yet been any resources made available for detection of potentially vulnerable log4j versions inside of binary artifacts.

This presents a challenge for organisations running enterprise applications which were not developed internally, or where the source code is not immediately available to teams performing the initial triage.

As this vulnerability is likely to turn up in various "unexpected" places, this tooling intends to assist in detecting vulnerable versions of log4j inside of compiled artifacts, which can then be manually reviewed to determine exploitability.

Caveats

Obfuscated code will result in false negatives, where a potentially vulnerable widget is unable to be detected due to the use of obfuscation.

Running it

To run this tool clone this repository and follow the following steps. This assumes that Docker and jq are installed.

  1. Add binaries which need to be checked into the artifacts/ folder
  2. Run quickstart.sh (./quickstart.sh)

Alternatively, the run can be customised using the following command:

docker run \
    --rm \
    --mount type=bind,source=$(pwd)/artifacts,target=/mnt/stacs/input \
    --mount type=bind,source=$(pwd)/rules,target=/mnt/stacs/rules \
    stacscan/stacs:latest \
      --rule-pack "/mnt/stacs/rules/vulnerability.json" \
      "/mnt/stacs/input"

If you only wish to look for CVE-2021-44228, the following command can be used:

docker run \
    --rm \
    --mount type=bind,source=$(pwd)/artifacts,target=/mnt/stacs/input \
    --mount type=bind,source=$(pwd)/rules,target=/mnt/stacs/rules \
    stacscan/stacs:latest \
      --rule-pack "/mnt/stacs/rules/CVE-2021-44228.json" \
      "/mnt/stacs/input"

If you only wish to look for CVE-2021-45046, the following command can be used:

docker run \
    --rm \
    --mount type=bind,source=$(pwd)/artifacts,target=/mnt/stacs/input \
    --mount type=bind,source=$(pwd)/rules,target=/mnt/stacs/rules \
    stacscan/stacs:latest \
      --rule-pack "/mnt/stacs/rules/CVE-2021-45046.json" \
      "/mnt/stacs/input"

If you only wish to look for CVE-2021-45105, the following command can be used:

docker run \
    --rm \
    --mount type=bind,source=$(pwd)/artifacts,target=/mnt/stacs/input \
    --mount type=bind,source=$(pwd)/rules,target=/mnt/stacs/rules \
    stacscan/stacs:latest \
      --rule-pack "/mnt/stacs/rules/CVE-2021-45105.json" \
      "/mnt/stacs/input"

This tool can also be run without Docker. Please see the STACS installation instructions for how to install STACS without Docker.

What about Docker?

To scan a Docker image it first needs to be exported to the artifacts directory for scanning. This can be done using the following command:

IMAGE="alpine:latest"
NAME="alpine_latest"

docker export $(docker create ${IMAGE}) -o artifacts/${NAME}.tar

Alternatively, a running container can be exported using just:

# Replace CONTAINER_ID with the correct container identifier.
CONTAINER_ID="c29209118f9a"
NAME="widget_example"

docker export ${CONTAINER_ID} -o artifacts/${NAME}.tar

I got a finding! What do I do?

You'll need to investigate the use of log4j in the application to understand if the product is vulnerable. If this is not possible, due to lack of access to source code or otherwise, you should check whether the vendor has published any advisories on the matter.

There is no guarantee that the inclusion of a vulnerable version of log4j means that the product is vulnerable!

If you cannot find any advisories, you should contact the vendor to ask them about the impact of this vulnerability on the product.

Also consult the mitigations published by the log4j project. Alternatively, and preferably, upgrade to an unaffected version of log4j.

How does it work?

Although not designed for this purpose, this tool uses the STACS engine for bulk binary decomposition and analysis.

STACS is a YARA powered static credential scanner which suports binary file formats, analysis of nested archives, composable rulesets and ignore lists, and SARIF reporting.

As an example, this tool can analyse a tarball which contains an exported Docker image, which contains a JAR somewhere on the filesystem which is affected by this vulnerability.

It can also analyse nested tar, jar, war, ear, zip, apk, bz2, tgz, xz, rpm, iso, etc.

I found a false positive / negative

Please open a Github issue describing the issue, and linking to the affected binary artifact - where possible.

Pull requests to adjust to the rulesets would also be greatly appreciated!

Validation

See the validation/ directory for a set of log files from validation of this ruleset.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].