It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!
I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.
I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!
Just started a new job, and moved my support area from networking to applications. Day 1 of the new gig and I was hearing it was an all-hands to deal with the "new vulnerability". Thankfully new enough that there was no headache for me to deal with, but oof, glad to see what they were up against!
good explination. told exactly what it is and how it works. yeah i know what im looking at already but for anyone else that has no idea, this is the video they should watch
The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)
@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it. I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...
@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);
@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.
Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...
Great video. Question, so is the problem that even though log4j stores that command string in a log file it gets executed while being written to the file?
It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to
when I try to do same thing in my eclipse using log4j < 2.16, the jndi url is not getting invoked. It is simply printing in log message.. Any clue why ?
@marcus Hutchins, I recently used your strategies from the pd64.exe video to dump some embedded dlls from a Trojan google chrome installer. Thanks for all the guidance!
Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.
@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.
You are the man Marcus, one thing though, how can i emulate this into my environment, I tried your commands and getting Error: Could not find or load main class Main error.
I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?
hi can anyone help me when i try to inject any executor in any game it says "This exploit is down while critical ace/rce vuln is fixed" this is on roblox btw
Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.
i am somewhat of a beginner programmer but i am so glad i'm able to understand so much words. back when i didnt know anything about programming, this entire video would make no sense to me at all but now, instead of simply not understanding what he says, i just... just fucking feel bored i mean like it's awesome vulneratbility which i could use to run rick astley video on somebodys PC or something, but i am not programming such stuff. . . i am simply not programming at all, the only experience i had was in unity
So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser... Why is it always the same vulnerability that is found?
I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me: 1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that? 2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object? 3) what is that on line 8? Is setting that property necessary for this exploit to work? Again, I appreciate highly any response :)
I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!
In short, Log4j is a Java library that is used for logging errors and other software activities. ... The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.
As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.
To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!
You saying "just came out a few days ago" makes it sound like a fun new game just got released haha
Yeah lol, I just realized that 😂
🤣🤣🤣🤣🤣
Tbf for us security professionals this is basically like a new game was just released 😂
@@-bubby9633 🤣🤣🤣
😂😂
Great demonstration, Marcus!
U got 1 subscriber
hey john
@@anuzravatMore like 1.2million
It's my first week working in cyber security environment professionally. Trying to get a grasp on my organization's infrastructure while trying to help with the log4j vuln has been a real trial by fire lol. Always enjoy your content!
I understand. I just joined a new org as part of the infrastructure team. I still don't know all our systems, but I'm learning fast as I help to find and patch systems as needed/available.
Welcome to the industry and good luck!
@@complexedone Good Luck. We will get there eventually!
what have you been doing to help? what's your role? i'm looking to start in security soon!
Best way to learn quickly though. This is a blessing in disguise for you!
I love how you actually demonstrate the vulnerability and not just talk about it, like what most others are doing. Keep it up mate, you've got my Subscribe!
Yup, learnt more from this than the over engineered blogs I've been tracking!
not to mention how he only did it in ~3 mins, saves a lot of times for such a great explanation
Clicking various links for 30 minutes, trying to understand the issue, and you explain it in less than 4. Thank you!
Thanks Marcus. I appreciate your ability to explain a vulnerability like this and demo it in a really understandable way.
I had problem understand this from days and you explained it under 4 mins. You're amazing Marcus 👏❤️
With videos out there in 20+ mins and you here with less than 4 mins explaining it so clearly, I know which video to click from next time.
This is one of the great demonstrations I have listened on CZcams. You are amazing!!
This explanation is so cool! I’ve been hearing about the vulnerability but nobody took the time to explain it this way. Thank you! :)
One of the best explanations with practical demo. Thank you ..
Just started a new job, and moved my support area from networking to applications. Day 1 of the new gig and I was hearing it was an all-hands to deal with the "new vulnerability". Thankfully new enough that there was no headache for me to deal with, but oof, glad to see what they were up against!
Very well explained. Good video Marcus!
I work in IT and the last week or two has been absolutely mental thanks to this
thank you for this video marcus!!! alot of news on this and this has helped me out get a better understanding of how the vulnerability functions
First time understanding what this means. Thanks.
Thank You Marcus, simple but quiet clear to understand
"versatile" is the key word for this vulnerability.
thanks for explaining! :)
Great video! plain, simple and without bias.
good explination. told exactly what it is and how it works. yeah i know what im looking at already but for anyone else that has no idea, this is the video they should watch
Always cool to see a Marcus video out on a new vuln!
Greetings from Indonesia, I really admire you, and you are great. I'm just a beginner who wants to learn like you from the bottom
Thanks for such layman explanation, I was able to grasp it..
The ${…} syntax is not part of Java - it’s solely a Log4j syntax. (If it were part of java there would have been no problem, as it would have been evaluated at compile-time, not run-time)
@@kpaxxapk6397 the logger should sanitise the input the same way an ORM sanitises model insance lookups to avoid SQL injection.
@@kpaxxapk6397 In theory, it's a fair point - it certainly would be possible to sanitize it. But 1) the documentation did not state this anywhere afaik and 2) no one is interested in having a logging framework where you have to sanitize everything. People just want to do "log.error("My error: {}", error)" and be done with it.
I've used Log4j before some years ago, and never knew about that "Lookup" feature - and aparently i was not the only one. :) Imho, it was a very annoying feature, security flaw or not, as i don't want the text i log to sometimes be transformed into something else, just because it happens to contain "${" and "}"... And this undesirable feature was enabled by default...
@@kpaxxapk6397 Note: It would kind of be possible for Log4j to sanitize it itself... If they forced you to use it in a specific way... You CAN (but don't have to) use the logger as having a format string as first param, and then data-values for the rest of the params (similar to printf, etc)..: log.info("This is the format string. Data is {} and {}", data1, data2);
@@zaitarh This RCE was a feature, not a bug, I saw the code, it was done intentionally, I'm sure someone added this feature on purpose to use it for what the video showed us.
No idea why I always assume the ${...} syntax is Spel from the spring spell syntax but I'm not 100% sure if that's correct or not
Nice explanation, I believe showing how easy it is to do is the scary part more than anything since a lot of applications use log4j.
the variable thing in a string is called string interpolation my dude!
Great job at presenting the vulnerability!
Best summary yet
Thanks Marcus! Sweet and clean explanation!
Subbed. That was an excellent explanation.
Fantastic demonstration!
You made this very easy to understand. thanks!
Simple. To the point. Thanks man
clean explanation marcus!
Concise and to the point, thanks!
This 4 minute video was more clear and valuable then the 30minute one i just watched on this rce
cough johnhammond cough
Nice explanation ! Thank you :)
Thanks for simplifying the vulnerability
Finally no bullshitting around. Straight to the point and understandable for every novice programmer
Great explanation. And wow.
great explanation and demo
Great demonstration , thank you !
just what am looking for....thx dude
I love your videos
well, well
that's really interesting
thanks for uploading!
impactful explanation thanks
'Drop bobby tables' for Java. Nice! Thank you for this.
nice demo, thanks!
Thanks, really helpful.
Thank you for this!
Thx daddy great explanation
Hi Marc, great video. If I see it right, the outbound connections to e.g. a LDAP server is always unencrypted since JNDI does regular (unencrypted) lookups. That means that companies could look for unexpected outbound LDAP requests to servers on the internet right? Just curious. Would there be a way to make these outbound requests encrypted? Thank you!
Right to the point. Thanks man.
Great video
I can't believe that it is that simple. The first thing you learn is always to control the input that is given. That is why you wont just take the given SQL command and execute it. To think that log4j didn't sanitise their input ist just CRAZY. That's a one liner, my god...
Wow, that is a pretty glaring vulnerability. Amazing it's only just been discovered.
Better than java brains log4j explanation,now i understand
tks,
Marcus!
Great great great video
This video is perfect
Great video. Question, so is the problem that even though log4j stores that command string in a log file it gets executed while being written to the file?
Thank you so much.
thank you, very heplful
It's quite a good video but I think you should have talken about the jndi/ldap breach that enable rce. Jndi/ldap basically doesn't allow to inject malicious code, but a breach form 2017 make it possible to inject and initialize a custom Java class the ldap server redirects to
Pretty much every security team in an organization is stuck on log4j meeting 😜 Wonderful explanation though of the exploit.
Could you solve this issue by looking for an outcommenting the feature in the log4j library?
thanks for the explanation, going to make a documentary on this!
Purchased botted sub account, ratio
Great, a whole documentary nobody asked for.
when I try to do same thing in my eclipse using log4j < 2.16, the jndi url is not getting invoked.
It is simply printing in log message.. Any clue why ?
thank you!
Well done ;-)
@marcus Hutchins, I recently used your strategies from the pd64.exe video to dump some embedded dlls from a Trojan google chrome installer. Thanks for all the guidance!
Words cannot describe- how did this slip unnoticed? I cannot imagine writing code that would result in behavior like this, and yet it must surely be a trap even experienced developers might fall into.
I honestly believe that you cannot cater for what you don't expect 🤣
@@maxwellmapako3820 This is like a classic example of unsanitized input. Idk how any experienced developer like those working with the Apache Foundation couldn't expect that.
I was just thinking - this seems adjacent to our classic case of SQL injection. Crazy
You are the man Marcus, one thing though, how can i emulate this into my environment, I tried your commands and getting Error: Could not find or load main class Main error.
thanks man
And if I go to 2b2t from my phone, for example, will the exploit work on me?
(I play java minecraft on my phone)
Awesome video! Quick question: What is the symbol you have on line 11 of your code just after "logger.error(" but before "Hello..."
It says "s:" and is inserted by the ide to let you know what the parameter's called
parameter hinting
How can you set up the LDAP server on localhost and which port to choose?
Thanks!
how does an attacker make the call in the first place though? (have access to call the function with the string
By controlling some input that gets logged by the application
I wonder how many 0-day expoits out there in the open software.
Thank you
You just caught another Sub Bub, that was 🐸 toadly 🐸 understandable 😎, in just a couple of minutes.
How to fix the issue any steps are there
Great explanation.
I just didn't quite understand one thing. Is it necessary for the object you are loading to exist in the ldap server ?
Yes, but as the attacker can point the lookup to an ldap server they control, that's easy to arrange.
Nice!
I have to ask, what happens if you are running a VPN? Will the VPNs server get infected with whatever malware/ransomware/trojan/ddos/worm a black hat sends their way?
hi can anyone help me
when i try to inject any executor in any game it says
"This exploit is down while critical ace/rce vuln is fixed"
this is on roblox btw
Wasn't the base64 an extra indirection?
The class you're loading can't pop Calc.exe directly? 🙄
Great. Now show the LDAP server configuration and how exactly it serves the java object payload. None of the videos seem to explain how that works. They either evade it or use marshalsec LDAP server also never explaining how it works.
This is terrifying.
i am somewhat of a beginner programmer but i am so glad i'm able to understand so much words. back when i didnt know anything about programming, this entire video would make no sense to me at all
but now, instead of simply not understanding what he says, i just... just fucking feel bored
i mean like it's awesome vulneratbility which i could use to run rick astley video on somebodys PC or something, but i am not programming such stuff. . . i am simply not programming at all, the only experience i had was in unity
So you're telling me that the Log4j vulnerability is roughly the same as there was with linux a while ago where if you put something like [{:}};} (don't remember the exact spelling) you can then enter a command that can be executed from an app or the other thing that happened to twitter where you could send a tweet that would retweet itself in your browser...
Why is it always the same vulnerability that is found?
Its not a part of java as somebody mentioned before. The syntax is kind of string interpolation though.
I know I’m late to the party but I would greatly appreciate it of someone could clarify some things for me:
1) that error at the end, I cant quite catch it but I figure it must be due to the fact that the downloaded object cannot be concatenated without a toString method or something like that?
2) Isnt that base64 ‘calculator.exe’ just a directory on your server, not part of the actual object?
3) what is that on line 8? Is setting that property necessary for this exploit to work?
Again, I appreciate highly any response :)
Thanks for the demo. May i know what will be the parent process of "calc.exe"? would it be "java.exe"?
Yup, it'll be the java VM
I still don't get it. What is it that is being returned over LDAP? Is it the base64-encoded string "calc.exe"? Is it a Java object which is doing Runtime.getRuntime().exec("calc.exe")? It's been nearly a week and I still don't get it!
Thanks for explaining this
Can u also input a lambda?
In short, Log4j is a Java library that is used for logging errors and other software activities. ... The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
I'm still confused about how the jndi payload gets executed (i.e. calc.exe) in this case - isn't the jndi lookup just returning data? what is it that makes it actually execute calc.exe??? nobody seems to be able to explain this.
As I've understood it, it's basically a "hook" and the intended functionality of log4j which says: take this url, load the object/function there and run it. So the reason it is run is because that's how it was supposed to be. It's not the malicious code itself that says that it should be run. But I may be wrong here.
To answer your question: yes. everything in here is data (even this video itself), eg: Y2FsYy5leGU= is calc.exe in base64, that is the resource is loading thru JNDI and passed it to the log4j logguer as a variable to be logged. I think that is clear enough, hopefully for you too. Cheers!