The last weeks of 2021 got quite interesting for security professionals and software engineers.
Apache’s log4j library and its now prominent Java Naming and Directory Interface support, which enables easy remote code execution, made the news across the industry.
What makes Log4Shell scary is the widespread adoption of the Log4j library amongst Java applications, and the ease of remote exploitation.
A dangerous combination.
Patches got released, bypasses were discovered more patches were released and so forth.
A lot has been written and great information is out there around discovery, exploitation as well as mitigations. This post is not intended to repeat that information.
However, an area that has not gotten a lot of attention is the exploitation of Log4Shell in Request Forgery Attacks that target internal infrastructure and web servers by using the browser or a vulnerable service as confused deputy.
What are Request Forgery Attacks?
Request Forgery Attacks create requests that have unintended consequences for the victim of the attack.
These can typically be put in two categories, based on where the request is forged (client or server)
- Cross-Site Request Forgery Attacks (CSRF) - these attacks make the client/browser connect to resources and trigger unintended actions. This attack typically leverages authentication tokens to invoke privileged operations on the users behalf via a web browser.
- Server-Side Request Forgery Attacks (SSRF) - these attacks create a request on the server side, where an attacker is able to provide a URL to the server and the server will later connect to that URL. This could be via a wide range of destinations and protocols (localhost, internal networks, http, ftp, ldap,…)
Both kinds of request forgery vulnerabilities are quite common in web application and services. Also see the confused deputy problem for a generic explanation of this kind of security issue.
Why is this interesting in regard to Log4j?
What makes request forgery attacks so powerful in regard to Log4j is that the Log4j vulnerability often can be triggered without any form of authentication.
This makes Cross-Site Request Forgery Attacks that target local or internal network resources very plausible. The same goes for the Server-Side attack scenarios.
Any Server-Side feature which allows a user to specify a URL to control where a service connects to can potentially be leveraged to target internal infrastructure and probe for the log4j vulnerability.
Simple GET requests trigger Log4Shell
Remember that in many cases all that is needed to reach a vulnerable log4j system is a GET request with a query parameter that contains the attack payload, for example:
This payload can be provided by a malicious web page, e.g. when loading
This request will attack an internal network (such as the
10.0.0.1 IP address). It can also target applications installed on
localhost (including phones!) of the victim browsing the Internet.
Beware of this attack vector (possibly in combination with phishing attacks) patch and protect internally facing applications as well.
This post discussed how both Cross-Site (client based) and Server-Side Request Forgery Attacks can lead to succesful exploitation of the log4j vulnerability.
If you were solely focused on patching externally facing applications and services expand your analysis to everything, including internal infrastructure, as well as developer and end user machines.
Chrome and Edge seem to add more restrictions for browsers to talk to private networks as well.
Keep scanning and patching!
- Apache Log4j Overview
- JNDI Overview
- CISA - Apache Log4j Vulnerabilty Guidance
- Apache Log4j Vulnerability - Exploit
- Confused Deputy Problem
- Guidance for preventing, detecting and hunting for CVE 2021-44228
- Feature: Restrict “private network requests” for subresources from public websites to secure contexts
- Image with the glasses taken from Microsoft Image search included in PowerPoint - credit goes to whoever created the image.