How to take over vcenter (6.7 or 7.0) chaining CVE 2021-21972, CVE-2021-21985, CVE-2021-3156 and CVE-2020-3952
- 🔭 Past researches on ... CVE-2020-3952, CVE-2021-21991
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library. Excellent performance and low memory footprint.
How to take over vcenter (6.7 or 7.0) chaining CVE 2021-21972, CVE-2021-21985, CVE-2021-3156 and CVE-2020-3952
Hi,
I tried the pre-build windows binary from the dist Folder and realized that the all
option to scan all local drives (a5cfac0) doesn't work, no drives where found, so nothing was scanned until I had to defined c:\ d:\
instead.
I tried to build the binary on my own with pyinstaller and was running into the same issue, by checking the code I assumed that there might be a problem with the win32api and win32file import so drives
will become none
.
At least for me it was necessary to run pyinstaller --hidden-import win32api --hidden-import win32file -F ./test_log4shell.py
to enforce that those modules will be included in the binary. Afterwards the all
option was working as expected, every available drives was found and scanned.
Cheers
Dominik
FR
IIt would be great if there was a -c (csv output) option so that you could wrap the scanner in ansible wrapper and use it on a group of machines. Earlier we wrapped the scanner https://github.com/mergebase/log4j-detector but it doesn't keep up with updates a bit and runs slower (there are also problems with memory consumption). As a result, looks like this.
This output is quite convenient for fast processing of a large group of hosts. I have attached an example file. In the attached file, the separator is "@", but you can use for example ","
role1.4-output.csv
PS. I think it would also be a good idea to make an exception on all Linux hosts /proc by default, this will reduce the speed of scanning (and accessing swap, when touching /proc), but will not worsen its results.
Thanks for the scanner, it's the best.
Hi,
the detection for CVE-2022-23307 was introduced in commit b271f27 and later changed in commit b04487e.
In the first commit, there was no dependency to any other CVE, in the second one the dependency to JMSSINK was added.
As far I understand CVE-2022-23307 and based on my tests, this change / dependency avoids the detection in most cases and therefore should be reverted to the initial state?
Cheers
Dominik
Please make build binary files for 32bit system.
Write how I can build them myself.
Thanks!
It may be useful to anyone.
Windows run example:
test_log4shell_1.2120220209.exe all --csv-out --no-csv-header --csv-clean
Linux 32 bit run example:
test_log4shell_1.2120220209.bin32 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean
Linux 64 bit run example:
test_log4shell_1.2120220209.bin64 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean
After the work is completed, a short-hostname_ip.csv file with the scan results will appear in the directory from which the file was run.
test_log4shell_1.2120220209_32.zip
test_log4shell_1.2120220209_64.zip
test_log4shell_1.2120220209_exe.zip
Please add an argument, that will add to each line of the csv output ( --csv-out ) information about the passed path argument, when the scanner starts, exclude path, and the time spent on scanning the host (even when the verdict is CLEAN), total scanned files and folders.
This information will be useful for analyzing the scanner's work statistics.
Example in attach.
localhost_10.10.10.10.csv
1 line from the host with the verdict for example CLEAN. It will help for mass rolling scanning of hosts to have also a list of scanned hosts.
"2022-01-25 00:00:00","1.2120220125","192.192.192.192","localhost.localdomain","Linux","6.x86_64","x86_64","Package","CLEAN","","",""
import ctypes
def isLink(path):
if os.path.exists(path):
if os.path.isdir(path):
FILE_ATTRIBUTE_REPARSE_POINT = 0x0400
attributes = ctypes.windll.kernel32.GetFileAttributesW(unicode(path))
return (attributes & FILE_ATTRIBUTE_REPARSE_POINT) > 0
return False
Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this.
I liked the proposed implementation.
1 separate row for each host, instead of adding statistics to each row by adding extra columns (when the --csv-stats argument is specified). This approach is better than I originally suggested.
launched on 75cb4f1
test_log4shell_1.2120220126.py all --csv-out --no-csv-header --no-error --csv-clean --csv-stats
output2.csv
output1.csv
Proposed format
output1-expected.csv
output2-expected.csv
Also in the proposed output, I propose to slightly change the output of --csv-clean, for unification
thank you in advance.
For example, for 1 CPU, this will give a fairly large load on the server.
min(32, os.cpu_count() + 4)
Please add JAVA version to output (csv)
When the scanner finds Log4J-1.1.1 the verdict turns out to be just an empty space. I think that you need to add a status that would indicate in such cases the need for manual verification, for example manual or add an existing CVE.
2019-06-19 10:10:10 1.2120220117 333.333.333.333 server.com Windows 2022 AMD64 Package ...\lib\log4j-core.jar contains Log4J-1.1.1 <= 1.2.17, JMSAppender.class not found 1.1.1
FR
For mass scanning of a host group by a scanner, it would be great if the name of the output file (when using some key) was generated automatically using the hostname_ip.csv template.
This will allow you to collect all the received files into one directory (without thinking about the coincidence of file names) and executing, for example
cat ./*.csv > report_all.csv
to get a general report.
Thanks for the scanner.
I've been running this on our AMD Threadripper 2990WX machine and since it took more than 5 minutes, I started to investigate why.
It looks like the disk is bored and only one CPU core is loaded with 100%, all other cores are also idling.
I didn't have a look at the source code but maybe a two-pass approach might speed things up:
It is especially important to detect CVE-2021-42550
Maybe in the documentation (readme) such a table will be useful
Detect | CVE | CVSSv3 | Severity | java | lib from | lib to | lib fix | |
---|---|---|---|---|---|---|---|---|
x | CVE-2021-44228 | 10,0 | Critical | 8 | 2.0-beta9 | 2.14.1 | 2.15.0 | |
- | CVE-2017-5645 | 9,8 | Critical | 7 | 2.0-alpha1 | 2.8.1 | 2.8.2 | |
x | CVE-2021-45046 | 9,0 | Critical | 7/8 | 2.0-beta9 | 2.15.0 excluding 2.12.2 | 2.12.2/2.16.0 | |
x | CVE-2021-4104 | 7,5 | High | - | 1.0 | 1.x | nofix | |
x | CVE-2021-44832 | 6,6 | Medium | 6/7/8 | 2.0-alpha7 | 2.17.0, excluding 2.3.2/2.12.4 | 2.3.2/2.12.4/2.17.1 | |
- | CVE-2021-42550 | 6,6 | Medium | - | 1.0 | 1.2.7 | 1.2.8 | |
x | CVE-2021-45105 | 5,9 | Medium | 6/7/8 | 2.0-beta9 | 2.16.0, excluding 2.12.3 | 2.3.1/2.12.3/2.17.0 | |
- | CVE-2020-9488 | 3,7 | Low | 7/8 | 2.0-alpha1 | 2.13.1 | 2.12.3/2.13.2 |
Thanks for the scanner, it's great.
As part of our use, we have made a few minor improvements to it, maybe they will be useful to everyone.
log4shell.exe all --csv-out
type *.csv > all.csv
(for Windows)cat .csv > all.csv
(for Linux)Please build binary file for 32bit system (Linux)
If time & date were included in the log output, it would be easier to copy it somewhere as evidence
add arguments, option to exclude a path
add json format output The Results
For all versions of windows, you can make one common binary file. All versions of windows contain 32 subsystems, so such a binary file will work on all Windows systems.
In order to support all versions of windows from windows 7, you need to use version 3.7.9 to build with pyinstaller
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.