curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(log4shell): cdk stack 

- https://gitlab.com/curben/aws-scripts/-/tree/main/log4shell-stack
This commit is contained in:
Ming Di Leom 2022-02-12 03:56:20 +00:00
parent 9bbec7a51a
commit ab6dca6615
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
source/_posts/log4shell-log4j-unbound-dns.md
View File

@ -2,11 +2,14 @@
title: Check Log4Shell vulnerability using Unbound DNS server
excerpt: Check vulnerability without relying on third-party services
date: 2021-12-17
updated: 2022-02-12
tags:
- security
- aws
---
> (Edit: 12 Feb 2022) AWS CDK stack is available at [curben/aws-scripts](https://gitlab.com/curben/aws-scripts/-/tree/main/log4shell-stack)
Most of the publications discussing the Log4Shell/[Log4j](https://blogs.apache.org/foundation/entry/apache-log4j-cves) vulnerability ([[1]](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java), [[2]](https://www.lunasec.io/docs/blog/log4j-zero-day/), [[3]](https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/), [[4]](https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/)) focus on the ability to instruct the JNDI component to load remote code or download payload using [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol). A less known fact is that Log4j also supports DNS protocol by default, at least in versions prior to 2.15.0.
Huntress, a cyber security company, created an easy-to-use tool at [log4shell.huntress.com](https://log4shell.huntress.com/) to detect whether your server is vulnerable using LDAP. Despite the assurance of transparency by the availability of [source code](https://github.com/huntresslabs/log4shell-tester) so you could host it yourself, there's no denying the fact that log4shell.huntress.com is a _third-party_ service; even if anyone could host it, not everyone has the ability to audit the source code. Another third-party service that is mentioned around is [dnslog.cn](http://www.dnslog.cn/) which detects (as the name implies) using DNS protocol.
@ -25,6 +28,8 @@ When installing a server (web, DNS, app, etc), Ubuntu usually starts the service
systemctl mask unbound
```
Above command may fail in a script, in that case, use `ln -s /dev/null /etc/systemd/system/unbound.service` instead.
Then, we can proceed to install and configure it.
```