hynekpetrak / log4shell-finder Goto Github PK

Hi,

I tried the pre-build windows binary from the dist Folder and realized that the all option to scan all local drives (a5cfac0) doesn't work, no drives where found, so nothing was scanned until I had to defined c:\ d:\ instead.

I tried to build the binary on my own with pyinstaller and was running into the same issue, by checking the code I assumed that there might be a problem with the win32api and win32file import so drives will become none.

At least for me it was necessary to run pyinstaller --hidden-import win32api --hidden-import win32file -F ./test_log4shell.py to enforce that those modules will be included in the binary. Afterwards the all option was working as expected, every available drives was found and scanned.

Cheers
Dominik

FR
IIt would be great if there was a -c (csv output) option so that you could wrap the scanner in ansible wrapper and use it on a group of machines. Earlier we wrapped the scanner https://github.com/mergebase/log4j-detector but it doesn't keep up with updates a bit and runs slower (there are also problems with memory consumption). As a result, looks like this.

This output is quite convenient for fast processing of a large group of hosts. I have attached an example file. In the attached file, the separator is "@", but you can use for example ","
role1.4-output.csv

PS. I think it would also be a good idea to make an exception on all Linux hosts /proc by default, this will reduce the speed of scanning (and accessing swap, when touching /proc), but will not worsen its results.

Thanks for the scanner, it's the best.

Hi,

the detection for CVE-2022-23307 was introduced in commit b271f27 and later changed in commit b04487e.

In the first commit, there was no dependency to any other CVE, in the second one the dependency to JMSSINK was added.
As far I understand CVE-2022-23307 and based on my tests, this change / dependency avoids the detection in most cases and therefore should be reverted to the initial state?

Cheers
Dominik

Please make build binary files for 32bit system.
Write how I can build them myself.
Thanks!

Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

1. Windows 32 bit version, should work on all versions of Windows OS (32-bit and 64-bit) both client and server, starting from w7 and above
2. Linux 32 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.
3. Linux 64 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

It may be useful to anyone.

Windows run example:
test_log4shell_1.2120220209.exe all --csv-out --no-csv-header --csv-clean

Linux 32 bit run example:
test_log4shell_1.2120220209.bin32 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

Linux 64 bit run example:
test_log4shell_1.2120220209.bin64 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

After the work is completed, a short-hostname_ip.csv file with the scan results will appear in the directory from which the file was run.

test_log4shell_1.2120220209_32.zip
test_log4shell_1.2120220209_64.zip
test_log4shell_1.2120220209_exe.zip

Please add an argument, that will add to each line of the csv output ( --csv-out ) information about the passed path argument, when the scanner starts, exclude path, and the time spent on scanning the host (even when the verdict is CLEAN), total scanned files and folders.

This information will be useful for analyzing the scanner's work statistics.

Example in attach.
localhost_10.10.10.10.csv

1 line from the host with the verdict for example CLEAN. It will help for mass rolling scanning of hosts to have also a list of scanned hosts.

"2022-01-25 00:00:00","1.2120220125","192.192.192.192","localhost.localdomain","Linux","6.x86_64","x86_64","Package","CLEAN","","",""

Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this.
I liked the proposed implementation.
1 separate row for each host, instead of adding statistics to each row by adding extra columns (when the --csv-stats argument is specified). This approach is better than I originally suggested.

launched on 75cb4f1
test_log4shell_1.2120220126.py all --csv-out --no-csv-header --no-error --csv-clean --csv-stats
output2.csv
output1.csv

Proposed format
output1-expected.csv
output2-expected.csv
Also in the proposed output, I propose to slightly change the output of --csv-clean, for unification

thank you in advance.

For example, for 1 CPU, this will give a fairly large load on the server.
min(32, os.cpu_count() + 4)

Please add JAVA version to output (csv)

When the scanner finds Log4J-1.1.1 the verdict turns out to be just an empty space. I think that you need to add a status that would indicate in such cases the need for manual verification, for example manual or add an existing CVE.

2019-06-19 10:10:10 1.2120220117 333.333.333.333 server.com Windows 2022 AMD64 Package ...\lib\log4j-core.jar contains Log4J-1.1.1 <= 1.2.17, JMSAppender.class not found 1.1.1

FR
For mass scanning of a host group by a scanner, it would be great if the name of the output file (when using some key) was generated automatically using the hostname_ip.csv template.
This will allow you to collect all the received files into one directory (without thinking about the coincidence of file names) and executing, for example
cat ./*.csv > report_all.csv
to get a general report.

Thanks for the scanner.

I've been running this on our AMD Threadripper 2990WX machine and since it took more than 5 minutes, I started to investigate why.

It looks like the disk is bored and only one CPU core is loaded with 100%, all other cores are also idling.

I didn't have a look at the source code but maybe a two-pass approach might speed things up:

• Build a list of all files to be scanned. This probably cannot be parallelized much
• Go through the list in several threads so it's not just one CPU core doing all the work

1. CVE-2017-5645
2. CVE-2021-42550
3. CVE-2020-9488

It is especially important to detect CVE-2021-42550

Maybe in the documentation (readme) such a table will be useful

Thanks for the scanner, it's great.
As part of our use, we have made a few minor improvements to it, maybe they will be useful to everyone.

1. CVSS score change according to nvd.nist.gov
2. UTF8 patch, fixes problems on Windows systems with a non-UTF 8 locale installed in path
3. all new argument, for windows version (close to similar --same-fs on Linux)
   remove header to --cvs-out, it is not needed when you do multiple system scans, and then combine the file into one. For example, running on a host group (Windows) from a network drive with the parameter
   log4shell.exe all --csv-out
   and after scanning the collection to 1 report
   type *.csv > all.csv (for Windows)
   cat .csv > all.csv(for Linux)
4. some changes to cvs output, it becomes more convenient
   log4shell_1.22.2.6.zip

Please build binary file for 32bit system (Linux)

If time & date were included in the log output, it would be easier to copy it somewhere as evidence

add arguments, option to exclude a path

add json format output The Results

For all versions of windows, you can make one common binary file. All versions of windows contain 32 subsystems, so such a binary file will work on all Windows systems.

In order to support all versions of windows from windows 7, you need to use version 3.7.9 to build with pyinstaller