From ab6dca6615b2737d65222b20e4f303f95ef2d5f1 Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Sat, 12 Feb 2022 03:56:20 +0000 Subject: [PATCH] post(log4shell): cdk stack - https://gitlab.com/curben/aws-scripts/-/tree/main/log4shell-stack --- source/_posts/log4shell-log4j-unbound-dns.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source/_posts/log4shell-log4j-unbound-dns.md b/source/_posts/log4shell-log4j-unbound-dns.md index a6d4c7c..c9cc273 100644 --- a/source/_posts/log4shell-log4j-unbound-dns.md +++ b/source/_posts/log4shell-log4j-unbound-dns.md @@ -2,11 +2,14 @@ title: Check Log4Shell vulnerability using Unbound DNS server excerpt: Check vulnerability without relying on third-party services date: 2021-12-17 +updated: 2022-02-12 tags: - security - aws --- +> (Edit: 12 Feb 2022) AWS CDK stack is available at [curben/aws-scripts](https://gitlab.com/curben/aws-scripts/-/tree/main/log4shell-stack) + Most of the publications discussing the Log4Shell/[Log4j](https://blogs.apache.org/foundation/entry/apache-log4j-cves) vulnerability ([[1]](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java), [[2]](https://www.lunasec.io/docs/blog/log4j-zero-day/), [[3]](https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/), [[4]](https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/)) focus on the ability to instruct the JNDI component to load remote code or download payload using [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol). A less known fact is that Log4j also supports DNS protocol by default, at least in versions prior to 2.15.0. Huntress, a cyber security company, created an easy-to-use tool at [log4shell.huntress.com](https://log4shell.huntress.com/) to detect whether your server is vulnerable using LDAP. Despite the assurance of transparency by the availability of [source code](https://github.com/huntresslabs/log4shell-tester) so you could host it yourself, there's no denying the fact that log4shell.huntress.com is a _third-party_ service; even if anyone could host it, not everyone has the ability to audit the source code. Another third-party service that is mentioned around is [dnslog.cn](http://www.dnslog.cn/) which detects (as the name implies) using DNS protocol. @@ -25,6 +28,8 @@ When installing a server (web, DNS, app, etc), Ubuntu usually starts the service systemctl mask unbound ``` +Above command may fail in a script, in that case, use `ln -s /dev/null /etc/systemd/system/unbound.service` instead. + Then, we can proceed to install and configure it. ```