RESPONSE: Syhunt Hybrid already detects the Fastjson, Spring4Shell & Log4Shell RCE vulnerabilities Learn more

Syhunt Dynamic: Log4Shell Detection

The information in this document applies to version 6.9.11 of Syhunt Dynamic.

Designed for professional penetration testers, this guide explains how to configure Syhunt Dynamic to make Syhunt's OAST capabilities to integrate with the JNDI Exploit Server, allowing Syhunt Dynamic to detect web applications vulnerable to Log4Shell attacks.

Step 1: Launch the JNDI Exploit server

You must read and agree with the Syhunt EULA before continuing and executing any command-line in your operating system. Please note that the JNDI Exploit has not been developed by Syhunt, and the tool may (or may not) be covered by its own EULA.

Firstly, you need to launch the JNDI Exploit server from a dedicated and clean machine not hosting any sensitive resources, data or files (understand why by reading the Connection Requirements & Security section below). Once executed, the server will open two ports and services: an HTTP server on 8888 and an LDAP server on 1389. This guide assumes you already have the Java Development Kit installed, which is needed by the JNDI Exploit. We successfully tested the exploit using version 11.0.3 of the JDK.

The following lines download and run the JNDIExploit server:


wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
unzip JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i IPADDRESS -p 8888

The JNDIExploit.v1.2.zip has been removed by the GitHub website, but we created a copy with password at the below link. If you are a Syhunt client, get in touch to obtain the password.

https://mega.nz/file/HRITUIKI#3cDrGT7dj8vztGNecmugpYf4YPsO49LUwipjcEl_Koo (MD5: 15dcaa1920b3e34acc1dca2b9286c075)

You may also try to obtain a copy of the original file (not passworded protected) through other Internet sources. Below you can find the hashes of the file so you can compare and make sure it is the right file:

 CRC-32: 5df539f0
 MD5: a8dca50391115eb8741b664cf137ba05
 SHA-1: 2b3791e501e5ceba9be65ee8526cc11084faa198
 SHA-256: 03fb135841f8f8d5c7b9b9a7cd5e65e13162fbfe958318731ab2a5ea41912ffb
 SHA-512: f04eb18c91314b1d9f7d02a2b64a7aa2ccc5134e24c135c54dae5205b90a653b1ec97aeb6e0ea0e288d791e81056e3e14f92ca7171c02cbd6c472247f1c9caaa

Connection Requirements & Security

The machine on which Syhunt is installed must be allowed to open HTTP and LDAP requests to the following additional Internet addresses:

IPPorts
YOUR-JDNIEXPLOIT-IPADDRESS8888, 1389

This will allow Syhunt to check if the servers are up and running before proceeding with the scan.

If the target website you wish to scan uses a private IP address, the JNDI Exploit server can have a private IP address as well. But if the target website uses a public IP address, you must make sure the JNDI Exploit server is running from a public IP address. Syhunt Hybrid will attempt to warn of any requirement violations.

Starting a public JNDI Exploit Server instance comes with risks and you assume all risks resulting from its use, including:

  1. That it can be located through port scanning and used by malicious actors to perform attacks against unauthorized targets, not limited to Log4Shell attacks.
  2. That the server may contain application vulnerabilities that may be exploited when discovered or known only by the author (read more about this possibility below)

For the reasons above, once you finish your scan against the desired target(s), make sure to close and shutdown the JNDI Exploit server.

Safety of the JNDIExploit

A source code scan of the JNDIExploit-master.zip (md5 aa018bbf3e6f2fef69854b9b167482f4) performed by Syhunt Code indicates 6 potential vulnerabilities:

  1. Command Execution Vulnerability on line 43 of /src/main/java/com/feihong/ldap/template/DynamicInterceptorTemplate.java
  2. Insecure Cryptographic Mode on line 53 of /src/main/java/com/feihong/ldap/template/DynamicFilterTemplate.java and /src/main/java/com/feihong/ldap/template/DynamicInterceptorTemplate.java
  3. Weak Random Number Generation on line 14 of /src/main/java/com/feihong/ldap/utils/Util.java

Step 2: Configure Syhunt Dynamic

  1. Launch Syhunt Hybrid and click the Preferences button in the welcome page.

  2. Go to the Advanced tab and enter the IP address (without the port number) of your JNDIExploit server instance.
  3. Click the OK button to save the preferences.

If you are using the CLI instead, you can set the server through the following command:

 scancore -prefset:syhunt.dynamic.options.augmented.jndiserver -v:YOUR-JDNIEXPLOIT-IPADDRESS

Step 3: Confirm Its Working

Optional: You can check if the Log4Shell detection is working by running a scan against log4shell-vulnerable-app.

Instructions for running the app are available at https://github.com/christophetd/log4shell-vulnerable-app#running-the-application

Step 4: Launch Your Log4Shell Scan

  1. Click the Syhunt Dynamic icon or New Scan button in the welcome page.

  2. Enter the URL of the website you want to scan.

  3. Select the Log4Shell scan method, which scans for Log4J vulnerabilities using the recommended settings.

If you are using the CLI instead, use the following command to launch a scan: scanurl yourtargetsite.com -hm:log4shell

Important: Once you finish your scan against the desired target(s), make sure to close and shutdown the JNDI Exploit server. If you open http://YOUR-JDNIEXPLOIT-IPADDRESS:8888 with your Google Chrome browser and you see 404 Not Found message, then it is still up and running. If you use Firefox, you will see a blank page and using the Network tab of the Web Developer Tools, you can see the 404 status.