Home Security research How we detect Log4Shell to help you find targets using vulnerable Log4j versions

How we detect Log4Shell to help you find targets using vulnerable Log4j versions

by Adrian Furtuna

Reading time

4 minutes

Reading Time: 4 minutes

We’re breaking down our technique for detecting CVE-2021-44228 (Log4Shell) because we believe our users should understand what’s happening behind the scanners so they can avoid a false sense of security.

In complex situations such as this one, it’s helpful to be open, realistic, and share knowledge, so we can all contribute to managing risk the best we can.

There is already a dedicated Log4Shell article where we describe the Log4Shell vulnerability in detail, so we won’t spend too much time on it here. However, how our tools carry out that detection deserves specific attention.

We, at Pentest-Tools.com, have added detection capabilities for this Log4j vulnerability with the following tools:

These scanners implement distinct detection techniques that we describe below.

The recommended detection method: using the Website Scanner

We recommend using the Website Scanner as the primary detection tool for Log4Shell. Here’s why.

The scanner uses a payload like ${jndi:ldap://private-ldap-server/test} and injects it in various locations in the target application. If the app is vulnerable, it initiates a LDAP request to one of our private LDAP servers (hosted in our cloud environment).

Since the Website Scanner is actually a full-blown web vulnerability scanner, it also performs crawling of the target application and indexes all the injection points. Thus, the Log4Shell payload is injected in:

  • Base URL
  • HTTP headers (more than 50 headers)
  • All application input fields from HTML forms (e.g. username, search, etc.), which it obtains by crawling the app.

 

Log4j website scanner result pentest-tools.com

Because the Website Scanner has extensive coverage of the target application, we believe it is the most effective detection method for Log4Shell.

Even though this technique is highly accurate, there are some limitations:

  • If you are scanning an internal server which is not allowed to initiate outbound LDAP connections to the internet, the vulnerability won’t be detected. For this situation, we are working on a new detection method based on DNS requests, which relies on the assumption that DNS requests are permitted from the internal network.
  • Our detection is synchronous, meaning the scanner expects the vulnerable app to immediately process the request and send the LDAP request to our server. However, if the application calls the Log4j functionality later (e.g. after a few minutes), we probably won’t detect it as vulnerable.

Log4Shell detection using the Network Scanner

The custom detection modules we are implementing in the Network Scanner have a different approach to detecting Log4Shell.

Instead of looking at the target as a generic web application, the Network Scanner searches for the vulnerability in specific or well-known applications that are using Log4j, such as:

  • Apache Flink
  • Apache Tomcat
  • Apache Druid
  • Apache Struts2
  • Apache Solr
  • VMware vCenter.

In this case, the scanner won’t do any crawling of the target application, but it will inject the payload (which is similar to Website Scanner’s) in:

  • Base URL
  • Multiple headers (the same as Website Scanner)
  • Specific input fields, depending on the target application.

We implemented this detection with the Network Scanner by using Sniper Automatic Exploiter modules, which will soon have the additional capability to exploit the vulnerability when the user also wants to prove that the risk is real. You will be able to perform exploitation exclusively with Sniper, which is coming shortly to the platform.

Run a focused scan faster: use the dedicated Log4Shell pentest robot

To help you with identifying potential issues faster, we’ve created a ready-to-use pentest robot that scans for Log4Shell exclusively using the Website Scanner – with a predefined set of options.

As you can see below, only the “Log4j Remote Code Execution” attack option is enabled in this robot, making this scan much faster than the default one. 

 

Website scanner attack options Pentest-tools.com

Just add your assets to the Targets page, then scan them all using the Log4Shell pentest robot (which you can also schedule to run when you need it):

 

Log4Shell pentest robot Pentest-tools.com

 

log4shell website scanner result pentest-tools.com

Using this specialized robot helps both other pentesters and us by decreasing the load that full scans create. Thank you for that!

The right tools can help you amplify your knowledge

It is really important to understand what your tools are doing behind the scenes so you have a strong assurance that your security posture is accurate.

While there is no perfect solution for flawless Log4Shell detection, using multiple tools increases your chances of having good coverage of the problem.

We’ll keep you posted as we roll out new updates on the platform!

Get future pentesting guides!

Related Posts

Detect Log4Shell scanner

Log4Shell scanner: detect Log4j CVE-2021-44228 in your network and web apps

detect Zoho ManageEngine ADSelfService Plus RCE

How to detect the Zoho ManageEngine ADSelfService Plus RCE (CVE-2021-40539)

0 comments

Comments