30 |
31 | ## Installation
32 |
33 | The tool was tested with Go 1.16. Make sure it (or a more recent version of Go) is
34 | installed and run the following command:
35 |
36 | ```
37 | go install github.com/alexbakker/log4shell-tools/cmd/log4shell-tools-server
38 | ```
39 |
40 | The binary will be available in ``$GOPATH/bin``
41 |
42 | ### Usage
43 |
44 | Since this tool compiles to a single binary, all you have to do is run it to
45 | start self hosting an instance of log4shell.tools. To make it accessible by
46 | other machines in your network, you'll want to pass a couple of flags to stop
47 | the tool from only listening on the loopback interface. If you're exposing this
48 | to the internet, you'll probably also want to put a reverse proxy in front of
49 | the HTTP server. Ignore the DNS options for now, they're not needed for simple
50 | internal deployments.
51 |
52 | For the full list of available flags, run `log4shell-tools-server -h`:
53 |
54 | ```
55 | Usage of ./log4shell-tools-server:
56 |
57 | This tool only listens on 127.0.0.1 by default. Pass the flags below to customize for your environment.
58 |
59 | -dns-a string
60 | the IPv4 address to respond with to any A record queries for 'dns-zone' (default "127.0.0.1")
61 | -dns-aaaa string
62 | the IPv6 address to respond with to any AAAA record queries for 'dns-zone' (default "::1")
63 | -dns-addr string
64 | listening address for the DNS server (default "127.0.0.1:12346")
65 | -dns-enable
66 | enable the DNS server
67 | -dns-zone string
68 | DNS zone that is forwarded to the tool's DNS server (example: "dns.log4shell.tools")
69 | -http-addr string
70 | listening address for the HTTP server (default "127.0.0.1:8001")
71 | -http-addr-external string
72 | address where the HTTP server can be reached externally (default "127.0.0.1:8001")
73 | -ldap-addr string
74 | listening address for the LDAP server (default "127.0.0.1:12345")
75 | -ldap-addr-external string
76 | address where the LDAP server can be reached externally (default "127.0.0.1:12345")
77 | -ldap-http-proto string
78 | the HTTP protocol to use in the payload URL that the LDAP server responds with (default "http")
79 | -storage string
80 | storage connection URI (either memory:// or a postgres:// URI (default "memory://")
81 | -test-timeout int
82 | test timeout in minutes (default 30)
83 | ```
84 |
85 | #### Storage
86 |
87 | The tool uses its in-memory storage backend by default. If you need test
88 | results to persist across restarts, you may want to use the Postgres backend instead.
89 |
90 | #### DNS
91 |
92 | The DNS server is disabled by default, because its configuration options are
93 | currently very specific to the setup over at https://log4shell.alexbakker.me. Let me
94 | know if you'd like to help make these more generic.
95 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/dns.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "context"
5 | "fmt"
6 | "strings"
7 |
8 | "github.com/alexbakker/log4shell-tools/cmd/log4shell-tools-server/storage"
9 | "github.com/google/uuid"
10 | "github.com/miekg/dns"
11 | log "github.com/sirupsen/logrus"
12 | )
13 |
14 | type DNSServer struct {
15 | s *dns.Server
16 | store storage.Backend
17 | opts DNSServerOpts
18 | }
19 |
20 | type DNSServerOpts struct {
21 | Addr string
22 | Zone string
23 | A string
24 | AAAA string
25 | }
26 |
27 | func NewDNSServer(store storage.Backend, opts DNSServerOpts) *DNSServer {
28 | s := DNSServer{store: store, opts: opts}
29 | mux := dns.NewServeMux()
30 | mux.HandleFunc(fmt.Sprintf("%s.", opts.Zone), s.handleDNSQuery)
31 | server := &dns.Server{Addr: opts.Addr, Net: "udp", Handler: mux}
32 | s.s = server
33 | return &s
34 | }
35 |
36 | func (s *DNSServer) ListenAndServe() error {
37 | return s.s.ListenAndServe()
38 | }
39 |
40 | func (s *DNSServer) handleDNSQuery(w dns.ResponseWriter, r *dns.Msg) {
41 | m := new(dns.Msg)
42 | m.SetReply(r)
43 | m.Compress = false
44 |
45 | if r.Opcode == dns.OpcodeQuery {
46 | if len(m.Question) == 0 {
47 | w.WriteMsg(m)
48 | return
49 | }
50 |
51 | q := m.Question[0]
52 | if q.Qtype != dns.TypeA && q.Qtype != dns.TypeAAAA {
53 | m.SetRcode(r, dns.RcodeSuccess)
54 | w.WriteMsg(m)
55 | return
56 | }
57 |
58 | if strings.HasPrefix(strings.ToLower(q.Name), s.opts.Zone) {
59 | s.writeDNSRes(m, r, q.Name, q.Qtype)
60 | w.WriteMsg(m)
61 | return
62 | }
63 |
64 | ctxLog := log.WithFields(log.Fields{
65 | "server": "dns",
66 | "addr": w.RemoteAddr().String(),
67 | "q": q.Name,
68 | "type": dns.TypeToString[q.Qtype],
69 | })
70 |
71 | parts := strings.Split(q.Name, ".")
72 | id, err := uuid.Parse(parts[0])
73 | if err != nil {
74 | ctxLog.WithError(err).Error("Unable to parse UUID")
75 | m.SetRcode(r, dns.RcodeNameError)
76 | w.WriteMsg(m)
77 | return
78 | }
79 |
80 | ctxLog = ctxLog.WithField("test", id)
81 | ctxLog.Info("Handling DNS query")
82 | counterDNSQueries.Inc()
83 |
84 | test, err := s.store.Test(context.Background(), id)
85 | if err != nil {
86 | ctxLog.WithError(err).Error("Unable to lookup test in storage")
87 | m.SetRcode(r, dns.RcodeNameError)
88 | w.WriteMsg(m)
89 | return
90 | }
91 | if test == nil {
92 | ctxLog.Warn("Test not found")
93 | m.SetRcode(r, dns.RcodeNameError)
94 | w.WriteMsg(m)
95 | return
96 | }
97 | if test.Done(testTimeout) {
98 | ctxLog.Warn("Test already done")
99 | m.SetRcode(r, dns.RcodeNameError)
100 | w.WriteMsg(m)
101 | return
102 | }
103 |
104 | addr, ptr := getAddrPtr(context.Background(), w.RemoteAddr().String())
105 | if err = s.store.InsertTestResult(context.Background(), test, storage.TestResultDnsQuery, addr, ptr); err != nil {
106 | ctxLog.WithError(err).Error("Unable to insert test result")
107 | w.WriteMsg(m)
108 | return
109 | }
110 |
111 | s.writeDNSRes(m, r, q.Name, q.Qtype)
112 | }
113 |
114 | w.WriteMsg(m)
115 | }
116 |
117 | func (s *DNSServer) writeDNSRes(m *dns.Msg, r *dns.Msg, name string, recordType uint16) {
118 | var record string
119 | switch recordType {
120 | case dns.TypeA:
121 | record = s.opts.A
122 | case dns.TypeAAAA:
123 | record = s.opts.AAAA
124 | }
125 |
126 | if record != "" {
127 | rr, err := dns.NewRR(fmt.Sprintf("%s %s %s", name, dns.TypeToString[recordType], record))
128 | if err == nil {
129 | m.Answer = append(m.Answer, rr)
130 | }
131 | }
132 | }
133 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/ldap.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "context"
5 | "fmt"
6 |
7 | ldap "github.com/alexbakker/ldapserver"
8 | "github.com/alexbakker/log4shell-tools/cmd/log4shell-tools-server/storage"
9 | "github.com/google/uuid"
10 | "github.com/lor00x/goldap/message"
11 | log "github.com/sirupsen/logrus"
12 | )
13 |
14 | type LDAPServer struct {
15 | s *ldap.Server
16 | store storage.Backend
17 | }
18 |
19 | func NewLDAPServer(store storage.Backend) *LDAPServer {
20 | s := LDAPServer{store: store}
21 |
22 | mux := ldap.NewRouteMux()
23 | mux.Bind(s.handleBind)
24 | mux.Search(s.handleSearch)
25 |
26 | s.s = ldap.NewServer()
27 | s.s.Handle(mux)
28 | return &s
29 | }
30 |
31 | func (s *LDAPServer) ListenAndServe(addr string) error {
32 | return s.s.ListenAndServe(addr)
33 | }
34 |
35 | func (s *LDAPServer) handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
36 | req := m.GetSearchRequest()
37 |
38 | ctxLog := log.WithFields(log.Fields{
39 | "server": "ldap",
40 | "addr": m.Client.Addr(),
41 | "req": "search",
42 | "object": req.BaseObject(),
43 | })
44 | ctxLog.Info("Handling LDAP search request")
45 | counterSearchRequests.Inc()
46 |
47 | id, err := uuid.Parse(string(req.BaseObject()))
48 | if err != nil {
49 | ctxLog.WithError(err).Error("Unable to parse UUID")
50 |
51 | res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultNoSuchObject)
52 | w.Write(res)
53 | return
54 | }
55 | ctxLog = ctxLog.WithField("test", id)
56 |
57 | test, err := s.store.Test(context.Background(), id)
58 | if err != nil {
59 | res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultNoSuchObject)
60 | w.Write(res)
61 | return
62 | }
63 | if test == nil || test.Done(testTimeout) {
64 | ctxLog.Warn("Test not found or already done")
65 | res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultNoSuchObject)
66 | w.Write(res)
67 | return
68 | }
69 |
70 | addr, ptr := getAddrPtr(context.Background(), m.Client.Addr().String())
71 | if err = s.store.InsertTestResult(context.Background(), test, storage.TestResultLdapSearch, addr, ptr); err != nil {
72 | ctxLog.WithError(err).Error("Unable to insert test result")
73 | res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOther)
74 | w.Write(res)
75 | return
76 | }
77 |
78 | codeBase := fmt.Sprintf("%s://%s/api/tests/%s/payload/", *flagLDAPHTTPProto, *flagHTTPAddrExternal, id)
79 | e := ldap.NewSearchResultEntry("")
80 | e.AddAttribute("javaClassName", message.AttributeValue(className))
81 | e.AddAttribute("javaCodeBase", message.AttributeValue(codeBase))
82 | e.AddAttribute("objectClass", "javaNamingReference")
83 | e.AddAttribute("javaFactory", message.AttributeValue(className))
84 | w.Write(e)
85 |
86 | res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
87 | w.Write(res)
88 | }
89 |
90 | func (s *LDAPServer) handleBind(w ldap.ResponseWriter, m *ldap.Message) {
91 | ctxLog := log.WithFields(log.Fields{
92 | "server": "ldap",
93 | "addr": m.Client.Addr(),
94 | "req": "bind",
95 | })
96 | ctxLog.Info("Handling LDAP bind request")
97 | counterBindRequests.Inc()
98 |
99 | res := ldap.NewBindResponse(ldap.LDAPResultSuccess)
100 | w.Write(res)
101 | }
102 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "bytes"
5 | "context"
6 | _ "embed"
7 | "flag"
8 | "fmt"
9 | "html/template"
10 | "net/http"
11 | "os"
12 | "sync"
13 | "time"
14 |
15 | ldap "github.com/alexbakker/ldapserver"
16 | "github.com/alexbakker/log4shell-tools/cmd/log4shell-tools-server/storage"
17 | "github.com/google/uuid"
18 | "github.com/julienschmidt/httprouter"
19 | "github.com/prometheus/client_golang/prometheus/promhttp"
20 | log "github.com/sirupsen/logrus"
21 | )
22 |
23 | var (
24 | flagStorage = flag.String("storage", "memory://", "storage connection URI (either memory:// or a postgres:// URI")
25 | flagDNSEnable = flag.Bool("dns-enable", false, "enable the DNS server")
26 | flagDNSAddr = flag.String("dns-addr", "127.0.0.1:12346", "listening address for the DNS server")
27 | flagDNSZone = flag.String("dns-zone", "", "DNS zone that is forwarded to the tool's DNS server (example: \"dns.log4shell.tools\")")
28 | flagDNSA = flag.String("dns-a", "127.0.0.1", "the IPv4 address to respond with to any A record queries for 'dns-zone'")
29 | flagDNSAAAA = flag.String("dns-aaaa", "::1", "the IPv6 address to respond with to any AAAA record queries for 'dns-zone'")
30 | flagLDAPAddr = flag.String("ldap-addr", "127.0.0.1:12345", "listening address for the LDAP server")
31 | flagLDAPAddrExternal = flag.String("ldap-addr-external", "127.0.0.1:12345", "address where the LDAP server can be reached externally")
32 | flagLDAPHTTPProto = flag.String("ldap-http-proto", "http", "the HTTP protocol to use in the payload URL that the LDAP server responds with")
33 | flagHTTPAddr = flag.String("http-addr", "127.0.0.1:8001", "listening address for the HTTP server")
34 | flagHTTPAddrExternal = flag.String("http-addr-external", "127.0.0.1:8001", "address where the HTTP server can be reached externally")
35 | flagTestTimeout = flag.Int("test-timeout", 30, "test timeout in minutes")
36 | flagDiscontinued = flag.Bool("discontinued", false, "whether this service has been discontinued")
37 | testTimeout = time.Duration(*flagTestTimeout)
38 |
39 | className = "Log4Shell"
40 |
41 | //go:embed templates/index.html
42 | tmplIndexText string
43 | tmplIndex *template.Template
44 |
45 | store storage.Backend
46 | statsCache *StatsCache
47 | )
48 |
49 | type IndexModel struct {
50 | New bool
51 | UUID uuid.UUID
52 | Test *storage.Test
53 | Context context.Context
54 | AddrLDAP string
55 | AddrLDAPExternal string
56 | DNSEnabled bool
57 | DNSZone string
58 | ActiveTests int64
59 | Error string
60 | Discontinued bool
61 | }
62 |
63 | type StatsCache struct {
64 | store storage.Backend
65 | l sync.Mutex
66 | activeTests int64
67 | activeTestsFetched time.Time
68 | }
69 |
70 | func init() {
71 | ldap.Logger = ldap.DiscardingLogger
72 |
73 | flag.Usage = func() {
74 | fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s:\n\n", os.Args[0])
75 | fmt.Fprintf(flag.CommandLine.Output(), "This tool only listens on 127.0.0.1 by default. Pass the flags below to customize for your environment.\n\n")
76 | flag.PrintDefaults()
77 | }
78 |
79 | tmplFuncs := template.FuncMap{
80 | "IsTestDone": func(test *storage.Test) bool {
81 | return test.Done(testTimeout)
82 | },
83 | "IsTestTimedOut": func(test *storage.Test) bool {
84 | return test.TimedOut(testTimeout)
85 | },
86 | "GetTestResults": func(ctx context.Context, test *storage.Test) ([]*storage.TestResult, error) {
87 | return store.TestResults(ctx, test)
88 | },
89 | }
90 |
91 | var err error
92 | tmplIndex, err = template.New("index").Funcs(tmplFuncs).Parse(tmplIndexText)
93 | if err != nil {
94 | log.WithError(err).Fatal("Unable to load template")
95 | }
96 | }
97 |
98 | func main() {
99 | flag.Parse()
100 | testTimeout = time.Minute * time.Duration(*flagTestTimeout)
101 |
102 | if !*flagDiscontinued {
103 | log.WithField("uri", *flagStorage).Info("Opening storage backend")
104 | var err error
105 | store, err = storage.NewBackend(*flagStorage)
106 | if err != nil {
107 | log.WithError(err).Fatal("Unable to open storage backend")
108 | }
109 | defer store.Close()
110 | statsCache = &StatsCache{store: store}
111 |
112 | go func() {
113 | for {
114 | <-time.After(1 * time.Minute)
115 |
116 | deleted, err := store.PruneTestResults(context.Background())
117 | if err != nil {
118 | log.WithError(err).Error("Unable to delete old test results")
119 | } else {
120 | log.WithField("count", deleted).Info("Deleted old test results")
121 | }
122 | }
123 | }()
124 |
125 | ldapServer := NewLDAPServer(store)
126 | go func() {
127 | log.WithFields(log.Fields{
128 | "addr": *flagLDAPAddr,
129 | "addr_ext": *flagLDAPAddrExternal,
130 | }).Info("Starting LDAP server")
131 |
132 | if err := ldapServer.ListenAndServe(*flagLDAPAddr); err != nil {
133 | log.WithError(err).Fatal("Unable to run LDAP server")
134 | }
135 | }()
136 |
137 | if *flagDNSEnable {
138 | dnsServer := NewDNSServer(store, DNSServerOpts{
139 | Addr: *flagDNSAddr,
140 | Zone: *flagDNSZone,
141 | A: *flagDNSA,
142 | AAAA: *flagDNSAAAA,
143 | })
144 |
145 | go func() {
146 | log.WithFields(log.Fields{
147 | "addr": *flagDNSAddr,
148 | }).Info("Starting DNS server")
149 |
150 | if err := dnsServer.ListenAndServe(); err != nil {
151 | log.WithError(err).Fatal("Unable to run DNS server")
152 | }
153 | }()
154 | }
155 | } else {
156 | log.Warn("Running in discontinued mode")
157 | }
158 |
159 | router := httprouter.New()
160 | router.GET("/", handleIndex)
161 | if !*flagDiscontinued {
162 | promHandler := promhttp.Handler()
163 | router.GET("/metrics", func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
164 | promHandler.ServeHTTP(w, r)
165 | })
166 | router.GET(fmt.Sprintf("/api/tests/:uuid/payload/%s.class", className), handleTestPayloadDownload)
167 | }
168 |
169 | log.WithFields(log.Fields{
170 | "addr": *flagHTTPAddr,
171 | "addr_ext": *flagHTTPAddrExternal,
172 | }).Info("Starting HTTP server")
173 |
174 | if err := http.ListenAndServe(*flagHTTPAddr, router); err != nil {
175 | log.WithError(err).Fatal("Unable to start HTTP server")
176 | }
177 | }
178 |
179 | func handleIndex(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
180 | var activeTests int64
181 | if !*flagDiscontinued {
182 | activeTests = statsCache.getActiveTests(r.Context())
183 | }
184 | model := IndexModel{
185 | Context: r.Context(),
186 | ActiveTests: activeTests,
187 | AddrLDAP: *flagLDAPAddr,
188 | AddrLDAPExternal: *flagLDAPAddrExternal,
189 | DNSEnabled: *flagDNSEnable,
190 | DNSZone: *flagDNSZone,
191 | Discontinued: *flagDiscontinued,
192 | }
193 | ctxLog := log.WithFields(log.Fields{
194 | "server": "http",
195 | "addr": getRemoteAddr(r),
196 | "req": r.URL.Path,
197 | })
198 |
199 | if !*flagDiscontinued {
200 | idString := r.URL.Query().Get("uuid")
201 | if idString != "" {
202 | var err error
203 | if model.UUID, err = uuid.Parse(idString); err != nil {
204 | ctxLog.WithField("id", idString).WithError(err).Error("Unable to parse UUID")
205 | writeHttpError(w, http.StatusBadRequest)
206 | return
207 | }
208 | ctxLog = ctxLog.WithField("test", model.UUID)
209 |
210 | model.Test, err = store.Test(r.Context(), model.UUID)
211 | if err != nil {
212 | ctxLog.WithError(err).Error("Unable to lookup test in storage")
213 | writeHttpError(w, http.StatusInternalServerError)
214 | return
215 | }
216 | if model.Test == nil {
217 | if r.URL.Query().Get("terms") != "y" {
218 | model.Error = "You cannot continue before agreeing to only testing on machines that you have permission to test on."
219 | } else {
220 | ctxLog.Info("Inserting new test")
221 |
222 | if err := store.InsertTest(r.Context(), model.UUID); err != nil {
223 | ctxLog.WithError(err).Error("Unable to insert new test")
224 | writeHttpError(w, http.StatusInternalServerError)
225 | return
226 | }
227 | if model.Test, err = store.Test(r.Context(), model.UUID); err != nil {
228 | ctxLog.WithError(err).Error("Unable to lookup test in storage")
229 | writeHttpError(w, http.StatusInternalServerError)
230 | return
231 | }
232 | if model.Test == nil {
233 | ctxLog.Error("Unable to obtain test right after insert")
234 | writeHttpError(w, http.StatusInternalServerError)
235 | return
236 | }
237 |
238 | counterTestsCreated.Inc()
239 | }
240 | }
241 | } else {
242 | model.New = true
243 | model.UUID = uuid.New()
244 | }
245 | } else {
246 | model.New = true
247 | }
248 |
249 | var buf bytes.Buffer
250 | if err := tmplIndex.Execute(&buf, model); err != nil {
251 | ctxLog.WithError(err).Error("Unable to render template")
252 | writeHttpError(w, http.StatusInternalServerError)
253 | return
254 | }
255 |
256 | w.Header().Add("Content-Type", "text/html")
257 | w.Write(buf.Bytes())
258 | }
259 |
260 | func handleTestPayloadDownload(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
261 | ctxLog := log.WithFields(log.Fields{
262 | "server": "http",
263 | "addr": getRemoteAddr(r),
264 | "req": r.URL.Path,
265 | })
266 |
267 | idString := p.ByName("uuid")
268 | id, err := uuid.Parse(idString)
269 | if err != nil {
270 | ctxLog.WithField("id", idString).WithError(err).Error("Unable to parse UUID")
271 | writeHttpError(w, http.StatusBadRequest)
272 | return
273 | }
274 |
275 | ctxLog = ctxLog.WithField("test", id)
276 | ctxLog.Info("Handling payload download request")
277 | counterPayloadRequests.Inc()
278 |
279 | test, err := store.Test(r.Context(), id)
280 | if err != nil {
281 | ctxLog.WithError(err).Error("Unable to lookup test in storage")
282 | writeHttpError(w, http.StatusInternalServerError)
283 | return
284 | }
285 | if test == nil {
286 | ctxLog.Warn("Test not found")
287 | writeHttpError(w, http.StatusNotFound)
288 | return
289 | }
290 | if test.Done(testTimeout) {
291 | ctxLog.Warn("Test already done")
292 | writeHttpError(w, http.StatusGone)
293 | return
294 | }
295 |
296 | addr, ptr := getAddrPtr(r.Context(), getRemoteAddr(r))
297 | if err = store.InsertTestResult(r.Context(), test, storage.TestResultHttpGet, addr, ptr); err != nil {
298 | ctxLog.WithError(err).Error("Unable to insert test result")
299 | writeHttpError(w, http.StatusInternalServerError)
300 | return
301 | }
302 | if err = store.FinishTest(r.Context(), test); err != nil {
303 | ctxLog.WithError(err).Error("Unable to mark test as finished")
304 | writeHttpError(w, http.StatusInternalServerError)
305 | return
306 | }
307 | counterTestsCompleted.Inc()
308 |
309 | writeHttpError(w, http.StatusNotFound)
310 | }
311 |
312 | func writeHttpError(w http.ResponseWriter, code int) {
313 | http.Error(w, fmt.Sprintf("%d - %s", code, http.StatusText(code)), code)
314 | }
315 |
316 | func (c *StatsCache) getActiveTests(ctx context.Context) int64 {
317 | c.l.Lock()
318 | defer c.l.Unlock()
319 |
320 | if time.Since(c.activeTestsFetched) > 1*time.Minute {
321 | var err error
322 | c.activeTests, err = c.store.ActiveTests(ctx, testTimeout)
323 | if err != nil {
324 | log.WithError(err).Error("Unable to fetch number of active tests")
325 | }
326 | c.activeTestsFetched = time.Now()
327 | }
328 |
329 | return c.activeTests
330 | }
331 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/net.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "context"
5 | "net"
6 | "net/http"
7 | "strings"
8 | "time"
9 |
10 | "inet.af/netaddr"
11 | )
12 |
13 | func getRemoteAddr(r *http.Request) string {
14 | for _, header := range []string{"X-Forwarded-For", "X-Real-Ip"} {
15 | ips := strings.Split(r.Header.Get(header), ",")
16 | for i := len(ips) - 1; i >= 0; i-- {
17 | ip := strings.TrimSpace(ips[i])
18 | realIP, err := netaddr.ParseIP(ip)
19 | if err != nil || realIP.IsPrivate() {
20 | continue
21 | }
22 | return ip
23 | }
24 | }
25 | return r.RemoteAddr
26 | }
27 |
28 | func getAddrPtr(ctx context.Context, addr string) (string, *string) {
29 | resCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
30 | defer cancel()
31 |
32 | host, _, err := net.SplitHostPort(addr)
33 | if err != nil {
34 | host = addr
35 | }
36 |
37 | var ptr *string
38 | var resolver net.Resolver
39 | if names, err := resolver.LookupAddr(resCtx, host); err == nil && len(names) != 0 {
40 | ptr = &names[0]
41 | }
42 |
43 | return host, ptr
44 | }
45 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/prometheus.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "github.com/prometheus/client_golang/prometheus"
5 | "github.com/prometheus/client_golang/prometheus/promauto"
6 | )
7 |
8 | var (
9 | counterTestsCreated = promauto.NewCounter(prometheus.CounterOpts{
10 | Name: "log4shell_tests_created_total",
11 | Help: "The total number of new tests inserted into the database",
12 | })
13 | counterTestsCompleted = promauto.NewCounter(prometheus.CounterOpts{
14 | Name: "log4shell_tests_completed_total",
15 | Help: "The total number of new tests that were completed (no timeout)",
16 | })
17 | counterBindRequests = promauto.NewCounter(prometheus.CounterOpts{
18 | Name: "log4shell_ldap_bind_requests_total",
19 | Help: "The total number of LDAP bind requests",
20 | })
21 | counterSearchRequests = promauto.NewCounter(prometheus.CounterOpts{
22 | Name: "log4shell_ldap_search_requests_total",
23 | Help: "The total number of LDAP search requests",
24 | })
25 | counterPayloadRequests = promauto.NewCounter(prometheus.CounterOpts{
26 | Name: "log4shell_http_payload_requests_total",
27 | Help: "The total number of RCE payload requests",
28 | })
29 | counterDNSQueries = promauto.NewCounter(prometheus.CounterOpts{
30 | Name: "log4shell_dns_queries_total",
31 | Help: "The total number of DNS queries",
32 | })
33 | )
34 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/storage/db.go:
--------------------------------------------------------------------------------
1 | package storage
2 |
3 | import (
4 | "context"
5 | "fmt"
6 | "time"
7 |
8 | "github.com/google/uuid"
9 | "github.com/jackc/pgx/v4"
10 | "github.com/jackc/pgx/v4/pgxpool"
11 | )
12 |
13 | const (
14 | schema = `
15 | CREATE TABLE IF NOT EXISTS test (
16 | id UUID NOT NULL,
17 | created timestamp NOT NULL DEFAULT timezone('utc'::text, CURRENT_TIMESTAMP),
18 | finished timestamp,
19 | PRIMARY KEY (id)
20 | );
21 |
22 | CREATE TABLE IF NOT EXISTS test_result (
23 | id BIGSERIAL NOT NULL,
24 | test_id UUID NOT NULL,
25 | created timestamp NOT NULL DEFAULT timezone('utc'::text, CURRENT_TIMESTAMP),
26 | type TEXT NOT NULL,
27 | addr TEXT,
28 | ptr TEXT,
29 | PRIMARY KEY (id),
30 | FOREIGN KEY (test_id) REFERENCES test (id) ON DELETE CASCADE
31 | );
32 |
33 | CREATE INDEX IF NOT EXISTS test_result_test_id_idx ON test_result (test_id);
34 | `
35 | )
36 |
37 | type DB struct {
38 | p *pgxpool.Pool
39 | }
40 |
41 | func NewDB(connStr string) (*DB, error) {
42 | p, err := pgxpool.Connect(context.Background(), connStr)
43 | if err != nil {
44 | return nil, fmt.Errorf("db connect: %s", err)
45 | }
46 |
47 | if _, err = p.Exec(context.Background(), schema); err != nil {
48 | return nil, fmt.Errorf("schema init: %s", err)
49 | }
50 |
51 | return &DB{p: p}, nil
52 | }
53 |
54 | func (db *DB) Close() {
55 | db.p.Close()
56 | }
57 |
58 | func (db *DB) Test(ctx context.Context, id uuid.UUID) (*Test, error) {
59 | row := db.p.QueryRow(ctx, `SELECT id, created, finished FROM test WHERE id = $1`, id.String())
60 |
61 | var test Test
62 | if err := row.Scan(
63 | &test.ID,
64 | &test.Created,
65 | &test.Finished); err != nil {
66 | if err == pgx.ErrNoRows {
67 | return nil, nil
68 | }
69 |
70 | return nil, err
71 | }
72 |
73 | return &test, nil
74 | }
75 |
76 | func (db *DB) InsertTest(ctx context.Context, id uuid.UUID) error {
77 | _, err := db.p.Exec(ctx, "INSERT INTO test (id) VALUES($1)", id)
78 | return err
79 | }
80 |
81 | func (db *DB) InsertTestResult(ctx context.Context, t *Test, resultType string, addr string, ptr *string) error {
82 | _, err := db.p.Exec(ctx, `
83 | INSERT INTO test_result (test_id, type, addr, ptr)
84 | VALUES($1, $2, $3, $4)
85 | `, t.ID, resultType, addr, ptr)
86 | return err
87 | }
88 |
89 | func (db *DB) TestResults(ctx context.Context, t *Test) ([]*TestResult, error) {
90 | rows, err := db.p.Query(ctx, `
91 | SELECT created, type, addr, ptr
92 | FROM test_result
93 | WHERE test_id = $1
94 | ORDER BY created ASC
95 | `, t.ID)
96 | if err != nil {
97 | return nil, err
98 | }
99 | defer rows.Close()
100 |
101 | var results []*TestResult
102 | for rows.Next() {
103 | var res TestResult
104 | if err = rows.Scan(&res.Created, &res.Type, &res.Addr, &res.Ptr); err != nil {
105 | return nil, err
106 | }
107 |
108 | results = append(results, &res)
109 | }
110 |
111 | return results, nil
112 | }
113 |
114 | func (db *DB) PruneTestResults(ctx context.Context) (int64, error) {
115 | res, err := db.p.Exec(ctx, `
116 | DELETE FROM test
117 | WHERE created < timezone('utc'::text, CURRENT_TIMESTAMP) - '1 day'::interval
118 | `)
119 | if err != nil {
120 | return 0, err
121 | }
122 |
123 | return res.RowsAffected(), nil
124 | }
125 |
126 | func (db *DB) FinishTest(ctx context.Context, t *Test) error {
127 | _, err := db.p.Exec(ctx, `
128 | UPDATE test
129 | SET finished = timezone('utc'::text, CURRENT_TIMESTAMP)
130 | WHERE id = $1
131 | `, t.ID)
132 | return err
133 | }
134 |
135 | func (db *DB) ActiveTests(ctx context.Context, timeout time.Duration) (int64, error) {
136 | var count int64
137 | row := db.p.QueryRow(ctx, `
138 | SELECT count(*)
139 | FROM test
140 | WHERE finished IS NULL
141 | AND created > timezone('utc'::text, CURRENT_TIMESTAMP) - ('1 minute'::interval * $1);
142 | `, int64(timeout.Minutes()))
143 |
144 | err := row.Scan(&count)
145 | return count, err
146 | }
147 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/storage/memory.go:
--------------------------------------------------------------------------------
1 | package storage
2 |
3 | import (
4 | "context"
5 | "fmt"
6 | "sync"
7 | "time"
8 |
9 | "github.com/google/uuid"
10 | )
11 |
12 | type testWrapper struct {
13 | Test *Test
14 | Results []*TestResult
15 | }
16 |
17 | type Memory struct {
18 | tests map[uuid.UUID]*testWrapper
19 | l sync.Mutex
20 | }
21 |
22 | func NewMemory() *Memory {
23 | return &Memory{tests: map[uuid.UUID]*testWrapper{}}
24 | }
25 |
26 | func (m *Memory) Close() {
27 |
28 | }
29 |
30 | func (m *Memory) Test(ctx context.Context, id uuid.UUID) (*Test, error) {
31 | m.l.Lock()
32 | defer m.l.Unlock()
33 |
34 | tw, ok := m.tests[id]
35 | if !ok {
36 | return nil, nil
37 | }
38 |
39 | copy := *tw.Test
40 | return ©, nil
41 | }
42 |
43 | func (m *Memory) InsertTest(ctx context.Context, id uuid.UUID) error {
44 | m.l.Lock()
45 | defer m.l.Unlock()
46 |
47 | _, ok := m.tests[id]
48 | if ok {
49 | return fmt.Errorf("not found: %s", id)
50 | }
51 |
52 | now := time.Now().UTC()
53 | m.tests[id] = &testWrapper{Test: &Test{ID: id, Created: &now}}
54 | return nil
55 | }
56 |
57 | func (m *Memory) InsertTestResult(ctx context.Context, t *Test, resultType string, addr string, ptr *string) error {
58 | m.l.Lock()
59 | defer m.l.Unlock()
60 |
61 | tw, ok := m.tests[t.ID]
62 | if !ok {
63 | return fmt.Errorf("not found: %s", t.ID)
64 | }
65 |
66 | now := time.Now().UTC()
67 | tw.Results = append(tw.Results, &TestResult{
68 | TestID: tw.Test.ID,
69 | Created: &now,
70 | Type: resultType,
71 | Addr: &addr,
72 | Ptr: ptr,
73 | })
74 | return nil
75 | }
76 |
77 | func (m *Memory) TestResults(ctx context.Context, t *Test) ([]*TestResult, error) {
78 | m.l.Lock()
79 | defer m.l.Unlock()
80 |
81 | tw, ok := m.tests[t.ID]
82 | if !ok {
83 | return nil, fmt.Errorf("not found: %s", t.ID)
84 | }
85 |
86 | var res []*TestResult
87 | for _, tres := range tw.Results {
88 | copy := *tres
89 | res = append(res, ©)
90 | }
91 |
92 | return res, nil
93 | }
94 |
95 | func (m *Memory) PruneTestResults(ctx context.Context) (int64, error) {
96 | m.l.Lock()
97 | defer m.l.Unlock()
98 |
99 | var count int64
100 | for id, tw := range m.tests {
101 | if time.Since(*tw.Test.Created) > time.Hour*24 {
102 | delete(m.tests, id)
103 | count++
104 | }
105 | }
106 |
107 | return count, nil
108 | }
109 |
110 | func (m *Memory) FinishTest(ctx context.Context, t *Test) error {
111 | m.l.Lock()
112 | defer m.l.Unlock()
113 |
114 | tw, ok := m.tests[t.ID]
115 | if !ok {
116 | return fmt.Errorf("not found: %s", t.ID)
117 | }
118 |
119 | now := time.Now().UTC()
120 | tw.Test.Finished = &now
121 | return nil
122 | }
123 |
124 | func (m *Memory) ActiveTests(ctx context.Context, timeout time.Duration) (int64, error) {
125 | m.l.Lock()
126 | defer m.l.Unlock()
127 |
128 | var count int64
129 | for _, tw := range m.tests {
130 | if tw.Test.Finished == nil && time.Since(*tw.Test.Created) < timeout {
131 | count++
132 | }
133 | }
134 |
135 | return count, nil
136 | }
137 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/storage/storage.go:
--------------------------------------------------------------------------------
1 | package storage
2 |
3 | import (
4 | "context"
5 | "strings"
6 | "time"
7 |
8 | "github.com/google/uuid"
9 | )
10 |
11 | const (
12 | TestResultDnsQuery = "recv_dns_query"
13 | TestResultLdapBind = "recv_ldap_bind"
14 | TestResultLdapSearch = "recv_ldap_search"
15 | TestResultHttpGet = "recv_http_get"
16 | )
17 |
18 | type Backend interface {
19 | Close()
20 | Test(ctx context.Context, id uuid.UUID) (*Test, error)
21 | InsertTest(ctx context.Context, id uuid.UUID) error
22 | InsertTestResult(ctx context.Context, t *Test, resultType string, addr string, ptr *string) error
23 | TestResults(ctx context.Context, t *Test) ([]*TestResult, error)
24 | PruneTestResults(ctx context.Context) (int64, error)
25 | FinishTest(ctx context.Context, t *Test) error
26 | ActiveTests(ctx context.Context, timeout time.Duration) (int64, error)
27 | }
28 |
29 | type Test struct {
30 | ID uuid.UUID `db:"id"`
31 | Created *time.Time `db:"created"`
32 | Finished *time.Time `db:"finished"`
33 | }
34 |
35 | type TestResult struct {
36 | TestID uuid.UUID `db:"test_id"`
37 | Created *time.Time `db:"created"`
38 | Type string `db:type`
39 | Addr *string `db:ip`
40 | Ptr *string `db:ptr`
41 | }
42 |
43 | func NewBackend(connStr string) (Backend, error) {
44 | if strings.HasPrefix(connStr, "memory://") {
45 | return NewMemory(), nil
46 | }
47 |
48 | return NewDB(connStr)
49 | }
50 |
51 | func (t *Test) Done(timeout time.Duration) bool {
52 | return t.Finished != nil || t.TimedOut(timeout)
53 | }
54 |
55 | func (t *Test) TimedOut(d time.Duration) bool {
56 | return time.Since(*t.Created) > d
57 | }
58 |
59 | func (r *TestResult) Color() string {
60 | if r.Type == TestResultHttpGet {
61 | return "danger"
62 | }
63 |
64 | return "warning"
65 | }
66 |
--------------------------------------------------------------------------------
/cmd/log4shell-tools-server/templates/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 73 | This tool allows you to run a test to check whether one of your 74 | applications is affected by the recent vulnerabilities in log4j: 75 | CVE-2021-44228 77 | and CVE-2021-45046. 79 | When you hit 'Start', the tool will generate a unique JNDI URI for 80 | you to enter anywhere you suspect it might end up being processed 81 | by log4j. If log4j triggers so much as a DNS lookup, this tool 82 | will tell you about it. 83 |
84 |85 | You may only use this tool on machines that you have permission 86 | to test on. 87 |
88 | {{ if .Error }} 89 |
112 | {{ if IsTestDone .Test }}
113 | Finished
114 | {{ if IsTestTimedOut .Test }}
115 | (The test timed out)
116 | {{ end }}
117 | {{ else }}
118 |
119 | Waiting...
120 |
121 | Waiting
122 | {{ end }}
123 |
124 | {{ if not (IsTestDone .Test) }}
125 | Copy the texts below and paste them anywhere you suspect it might end up being processed by log4j:
126 | 127 || Time | 152 |Type | 153 |Source | 154 |Message | 155 |
|---|---|---|---|
| {{ $val.Created.Format "2006-01-02 15:04:05" }} | 161 |{{ $val.Type }} | 162 |{{ if $val.Ptr }}{{ $val.Ptr }}{{ else }}{{ $val.Addr }}{{ end }} | 163 |164 | {{ if eq $val.Type "recv_ldap_search" }} 165 | LDAP search query received. At the very least, your log4j deployment supports doing lookups. This can lead to information leakage. 166 | {{ else if eq $val.Type "recv_http_get" }} 167 | GET request for RCE payload payload received. 168 | {{ else if eq $val.Type "recv_dns_query" }} 169 | DNS query received. It is likely that your log4j deployment supports doing lookups. This can lead to information leakage. 170 | {{ end }} 171 | | 172 |
Timestamps are in UTC. Test results are permanently deleted after 24 hours.
177 |Changelog
184 |When significant changes are made to the functionality of the tool, I'll post an update here.
185 |2021-12-14
186 |
187 | The tool now supports detection through DNS. The
188 | jndi:ldap:// URI that is generated for your unique test
189 | ID now also contains a unique *.dns.log4shell.tools name.
190 | With that, the first signs of information leak vulnerability already appear
191 | when log4j performs a DNS lookup, before even connecting to the LDAP
192 | server. This should significantly reduce the number of false
193 | negatives when testing on machines that don't directly have access
194 | to the internet or can't connect to log4shell.tools for some other
195 | reason.
196 |
198 | Newly generated LDAP JNDI URI's now use this feature by default. There's a dedicated jndi:dns:// option as well.
199 |
FAQ
205 |Here's a short list of frequently asked questions. If yours is not answered here, feel free to reach out.
206 |What is CVE-2021-44228?
207 |208 | CVE-2021-44228 209 | is a vulnerability in the popular log4j library by Apache. In the 210 | worst case, it allows bad actors to execute code on any server 211 | where they're able to get log4j to process a malicious log 212 | message. 213 |
214 |215 | If you're using log4j or a product that depends on log4j, you should act on this immediately. 216 |
217 |Can I use this tool to test for CVE-2021-45046 as well?
218 |Yes.
219 |What can I do to protect myself?
220 |Please read the official advisory from Apache: https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0.
221 |What does this tool do?
222 |223 | The tool generates a unique ID for you to test with. After you 224 | click start, we'll generate a piece of text for you that looks 225 | similar to this: ${jndi:ldap://*.dns.log4shell.tools:12345/*}. 226 | Copy it and paste it anywhere you suspect it might end up getting 227 | passed through log4j. For example: search boxes, form fields or 228 | HTTP headers. 229 |
230 |231 | Once an outdated version of log4j sees this string, it will 232 | perform a DNS lookup to get the IP address of 233 | *.dns.log4shell.tools. If this happens, it is considered 234 | the first sign of vulnerability to information leakage. Next, it 235 | will attempt and LDAP search request to 236 | log4shell.tools:12345. The tool responds with a Java class 237 | description, along with a URL for where to obtain it. Log4j may 238 | even attempt to fetch the class file. The tool will return a 404 239 | and conclude the test. 240 |
241 |Am I safe if the tool doesn't report anything after the test?
242 |243 | Not necessarily. If the machine you're testing on does not have 244 | access to the internet or can't reach log4shell.tools for 245 | some other reason, the results will not be accurate. The tool is 246 | only meant to give you a rough assessment of what someone with no 247 | special access to your environment would be able to do. 248 |
249 |250 | The only way to make sure you're safe, is to start applying 251 | patches. 252 |
253 |Is there any chance that the tool reports a false positive?
254 |255 | The DNS lookup detection feature may result in a false positive in 256 | some cases. For example, this can happen if the environment you're 257 | testing has some other tooling that is examining the logs or the 258 | traffic on the network. If the tooling finds anything suspicious, 259 | it may perform a DNS lookup as part of its analysis. This will 260 | lead us to believe that we triggered a lookup in log4j, while that 261 | was actually not the case. 262 |
263 |Isn't releasing such a tool to the public dangerous?
264 |265 | I believe in arming the public with the same tools that the bad 266 | actors we're up against already have. Especially in this case 267 | where the vulnerability is so trivial to exploit. Anyone with some 268 | decent Google-fu will be able to find a full PoC (including RCE) 269 | within minutes. The goal is to contribute to leveling the playing 270 | field by allowing anyone to perform a rough assessment of how 271 | vulnerable they are to this log4j vulnerability. 272 |
273 |274 | Especially if your product runs on a service where you don't have 275 | enough access to update log4j or change its options, a test result 276 | from a tool like this might be enough to get the attention of the 277 | right people. 278 |
279 |Does this tool perform RCE (remote code execution)?
280 |281 | No. It runs the exploit right up until your device requests the 282 | RCE payload, then it returns a 404 and concludes the test. 283 |
284 |What is the privacy policy?
285 |286 | The tool stores test results, IP addresses and PTR records of the servers 287 | that reach out to it. All test results and any information 288 | collected along with it is automatically permanently deleted 289 | after 24 hours. 290 |
291 |292 | No information is shared with third parties. To ensure the privacy 293 | of your test results, do not share your unique test ID with anyone 294 | else. 295 |
296 |Is this tool open source?
297 |298 | Yes! The code is available on GitHub: 299 | https://github.com/alexbakker/log4shell-tools. 300 |
301 |Is this tool affiliated with the Apache Software Foundation?
302 |No.
303 |I have another question / found an issue. How can I contact you?
304 |305 | Feel free to send me an 306 | email. If you're reporting a security issue, please don't 307 | discuss it in public before I've had an opportunity to fix it. 308 |
309 |