JNDI | JNDI Injection Exploitation Tool
kandi X-RAY | JNDI Summary
kandi X-RAY | JNDI Summary
JNDI Injection Exploitation Tool
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Main loop
- Handle RMI
- Send transport
- Write object
- Entry point to the class file
- Generate the class file
- Insert method
- Insert exceptions in a method
- Returns the current configuration value for the given key
- Main entry point
- Insert the given class into the given visitor
- Inserts a new method
- Wait for a connection
- Runs the InMemoryDirectoryServerServer server
- Run the server
- Create a dummy object from the registry
- Inserts a new exception
- Insert a new object in the given MethodVisitor
- Creates a new static initializer
- Generate a MethodDispatcher
- Insert a new FileInputStream
- Inserts a new class into the given visitor
- Insert the given class
- Inserts the base64 encoded data into the given visitor
- Generate a Method
- Inserts a class
JNDI Key Features
JNDI Examples and Code Snippets
Lines of Code : 17License : Non-SPDX
Copypublic static Service getService(String serviceJndiName) {
var serviceObj = serviceCache.getService(serviceJndiName);
if (serviceObj != null) {
return serviceObj;
} else {
/*
* If we are unable to retrieve anything from private void init() throws NamingException {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.fscontext.RefFSContextFactory");
// URI to namespace (actual directory)
env.put(Cont Community Discussions
Trending Discussions on JNDI
QUESTION
I am trying to upgrade a monolith application from Wildfly 23 to Wildfly 26.
Originally the application used a dummy configuration of "jaspitest" in the standalone.xml
Old Config for security
...ANSWER
Answered 2022-Feb-14 at 14:29The setup seems somewhat confused. The LoginBacking should not directly call the IdentityStore. Instead, a backing bean should call SecurityContext. The SecurityContext then triggers authentication causing the HttpAuthenticationMechanism to be called, which then, if needed, calls the IdentityStore.
The Soteria project contains a test that demonstrates this for JSF/Faces:
https://github.com/eclipse-ee4j/soteria/tree/master/test/app-mem-customform
The relevant part is:
QUESTION
Some version information:
- Jboss 6.4
- Postgres 9.6
- mybatis-3 CDI
- Postgres Driver 42.2.20 JDBC 4
I'm having a problem that is causing pretty catastrophic behavior in my system. From my debugging I've been able to deduce that an idle transaction appears to be locking a table in my database, causing the application to freeze (certain locks aren't being released). I've been able to stop the freezing my setting timeouts in mybatis but I cannot figure out what is causing the idle transaction in the first place. The good news is that its always the same UPDATE statement that appears to be blocked. However, I can't narrow down what query/trans curring and I'm seeing behavior that I understand.
Here is the query that always seems to lock up (Some names were changed but this query normally works):
...ANSWER
Answered 2022-Feb-15 at 16:39So I discovered what the problem was. The issue really wasn't the database's fault or even the queries that were being used. It turns out that our system was using the same Transaction subsystem for both it our Data Source (Postgres Database) and our JMS messaging system. When a JMS message was sent, it created a transaction and every transactional based action that followed during the life cycle of that tread/transaction would be treated as part of that original transaction. Which includes all of our database calls.....
This explains why a query as simple as insert into a message log was touching all of our relations in the database. The debug queries only showed me the first query/statement sent to the database, not all of the others that were used during the life cycle of the JMS message. There were several ways to fix this but my team opted for the easiest which was preventing the Data Source from using the JBoss provided Transaction Manager.
QUESTION
for a university project I am testing the log4j vulnerability. To do this, I use a python server that connects to the java client by creating a reverse shell. Everything works except the output to server which is not displayed correctly. Specifically, the server shows the output of two previous inputs and I'm not understanding why. I'm new to python and java programming so I'm a little confused.
Initial project: https://github.com/KleekEthicalHacking/log4j-exploit I made some changes and added a python socket to handle the reverse shell.
PS: with netcat it seems to work fine but command with some space non work (ex: cd .. not work)
For run this project i use kali linux (python server) and ubuntu (java webapp). This code does not yet manage clients with windows os
poc.py + exploit class:
...ANSWER
Answered 2022-Feb-11 at 11:36Now works. I added time.sleep(0.2) after each sendall in rce.py
QUESTION
With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.
The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to find the relevant source code for it.
Am I missing something that others have identified?
Log4j 1.2 appears to have a vulnerability in the socket-server class, but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the JNDI-lookup vulnerability which the one identified appears to be.
Is my understanding - that Log4j v1.2 - is not vulnerable to the jndi-remote-code execution bug correct?
ReferencesThis blog post from Cloudflare also indicates the same point as from AKX....that it was introduced from Log4j 2!
Update #1 - A fork of the (now-retired) apache-log4j-1.2.x with patch fixes for few vulnerabilities identified in the older library is now available (from the original log4j author). The site is https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw vulnerabilities. Note that I am simply relaying this information. Have not verified the fixes from my end. Please refer the link for additional details.
...ANSWER
Answered 2022-Jan-01 at 18:43The JNDI feature was added into Log4j 2.0-beta9.
Log4j 1.x thus does not have the vulnerable code.
QUESTION
I want to change database (h2 to SQL) in JBPM
from
...ANSWER
Answered 2022-Jan-21 at 09:28I think manipulating standalone configuration files directly is not a good idea and is also error-prone.
There are some scripts to do this, delivered with jbpm:
QUESTION
I'm new to OBIEE. I have version 12.2.1.4 installed on a Linux server. I installed the client tools on my Windows PC. Using the Administration tool I created a simple RPD which uses only two tables. For this I had to first create an ODBC DSN to connect to my DB/2 database.
Next, I uploaded the RPD to the OBIEE server using the datamodel cli tool. When I go to the http://hostname:9502/analytics page and select to create a new analysis, it shows me the name of the repository and the two tables. I selected a couple of columns and clicked on the Results tab.
At this point, I get an error message: ODBC error state: IM002 code: 0 message: [DataDirect][ODBC lib] Data source name not found and no default driver specified
I had used the em console to create a JNDI connection to DB/2. But, from the message it seems that it is trying to use the ODBC connection that was used when creating the RPD on my PC.
How do I change the connection that the server is using?
...ANSWER
Answered 2022-Jan-13 at 10:21The server needs to be able to reach the data source. EM JNDI connections have nothing to do with it, but rather the server (server OS - not the application) has to reach the source.
You need to update your ODBC settings on the Linux server: https://support.oracle.com/epmos/faces/DocContentDisplay?id=2570997.1
QUESTION
My present project is fully dockerized with large number of Spring Boot containers. Most of them are built with log4j 2+ (less than 2.7 for Java 8) version. How to fully proof the application from the JNDI attack CVE-2021-45105?
I know the best possible solution is to rebuild those containers with the log4j version, but it will take time and budget.
But if I disable the look up function at the docker compose level for every containers, using the below command, does it work?
"JVM_EXTRA_OPTS=-Dlog4j2.formatMsgNoLookups=true"
Secondly, If I delete the JndiLookup.class from log4j-core jar 'zip -q -d log4j-core-*.jar' and re-package, does it affect any present logging implementation? If yes, what functionalities can be affected?
If I set system property log4j2.formatMsgNoLookups=true, will it work? Where should I set this property to stop lookup?
Note: I was informed recently that I will need to handle/remove "JMSAppender" and "ServerSocket" classes also from log4j-core jar as they can be vulnerable also.
If I do not configure JMSAppender and SocketAppender, so they should not become vulnerable right? Or still I need to delete them?
...ANSWER
Answered 2022-Jan-07 at 18:03I got the below points after doing some internet search,
for the above mentioned issues, to be safe we need to do the following:
Temporary Fix For log4j 1.x
Check that the Log4j is not configured to perform JNDI requests
Find JAR files containing the JMSAppender.class
find . 2>/dev/null -type f -regextype posix-egrep -iregex '.*.(jar|war)' -exec grep -i JMSAppender.class {} ;
found in BOOT-INF/lib/log4j-1.2.17.jar
Remove JMSAppender.class from the identified JAR files
zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class
zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class
Temporary Fix For log4j 2.x
Find JAR files containing the JndiLookup and JndiManager classes
Used following command to find the JAR files:
find . 2>/dev/null -type f -regextype posix-egrep -iregex '.*.(jar|war)' -exec grep -i JndiLookup.class {} ;
find . 2>/dev/null -type f -regextype posix-egrep -iregex '.*.(jar|war)' -exec grep -i JndiManager.class {} ;
- Remove JAR files containing the JndiLookup and JndiManager classes
For the parmanent fix,
Patch to log4j2.17.0 version, only use log4j2.17.0+ version
Log4j >=2.15.0 requires Java 8. Therefore, organizations that use Java 7 can update to a special security release 2.12.3. Organizations that use Java 6 can update to a special security release 2.3.1.
Applications using Log4j 1.x may be impacted if their configuration uses JNDI. Log4j 1.x comes with Java Classes which will perform a JNDI lookup if enabled in log4j's configuration file, including, but not limited to JMSAppender. Thus, an attacker who already has write access to an application's log4j configuration file can trigger an RCE attack whenever log4j 1.x reads a corrupt/malicious configuration file. The best solution if the upgrade is not possible is to remove JMSAppender class and other.
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed (by Apache log4j). Users should upgrade to latest Log4j v2 (>=2.16.0) to obtain security fixes.
For Apache log4j versions from 1.2 (up to 1.2.17), the SocketServer class is vulnerable to deserialization of untrusted data, which leads to remote code execution if combined with a deserialization gadget.
Check if JMSAppender and SocketServer are enabled in the configuration file of log4j (e.g., log4j.properties or log4j.xml). Check that the access to the log4j configuration file is limited.
QUESTION
In our company we use WSO2 EI V6.4. I made the configuration sur connect to azure service bus with this guide and all is working
Now we have to use the last patched version of EI 6.4, and when i made the same configuration, I get this error
...ANSWER
Answered 2021-Dec-21 at 22:17I have had similar problem and used version of qpid-jms-client-0.11.1 thats works for me. I get it from this Maven repository
QUESTION
We have a Java application which has had a JConsole connection with password authentication for a while. In improving the security of this, we are trying to encrypt the connection made from JConsole to the application.
Up until now, we have launched our application with the following launch command:
...ANSWER
Answered 2021-Dec-29 at 03:47TLS handshakes are obviously failing. Without knowing the contents of your truststore (a couple of self-signed certificates?), or the ability to inspect the certificates in exchange, it's most likely because cacerts, the default Java truststore that contains common public root certificates, is not being loaded anymore now that you're specifying your own truststore.
As a confidence check, you can import the contents of cacerts into a copy of your truststore and retry. (See keytool's importkeystore.)
QUESTION
I just downloaded log4j-core-2.17.0.jar and when I open it, I see "org/apache/logging/log4j/core/lookup/JndiLookup.class" still part of the jar.
On apache security they have mentioned that -
Implement one of the following mitigation techniques:
Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Is it like we have to download the JAR and then remove the jndi entry manually ? I thought in 2.16 and 2.17 log4j it was removed already.
Please clarify
...ANSWER
Answered 2021-Dec-25 at 00:41log4j2 2.17 still supports JNDI lookups, so it needs the JndiLookup.class. 2.17 fixes the bugs related to JNDI lookups that allowed code execution (2.15) and Denial of Service (2.16).
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install JNDI
You can use JNDI like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the JNDI component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
