As a dev I never thought of security in such detail, but after watching this channel I have been practicing to analyse my code for vulnerability and avoid developing features that can be used as vulnerability in combination. My favourite approach is to never make a magic function. Thank you!
As a professional Java developer, I have never once heard someone call log4j "Log Forge". And considering the name literally means "Log for Java", I would argue anyone saying "Log Forge" is wrong. Although i suppose this is probably just another gif situation lol
Soft g to avoid confusion with gift, context then resolves any other potential confusion. Creator of the word also pronounces with soft g and says it should be a soft g, like the peanut butter. Pronounce with a soft g, and tell your friends.
4J is normal in the Java eco-system, and it means for Java. So log4j would be pronounced as log for Java. Unless log4j is weird and uses other naming. idk where people got Forge from
For anyone wondering how did they fix this difference in URI parsing behaviours -> They didn't. They just completely removed the whitelisting checks and restricted the whole shebang to only `java` scheme, so no LDAP URIs would pass through.
@Xeno The Strange I mean chaining exploits is a thing. Abusing log4j to get a local user perms and then the sudoedit vuln to escalate to root is a pretty reasonable scenario.
Great video, thank you! I feel something is missing in the video - still nor clear why MacOS and alpine are affected? Maybe other operating systems? Why? Probably because of different libc implementations that provide DNS resolution functionality.
From what I took from the video, it's the OS DNS resolver that's causing the issue, and that JNDI is just calling the system DNS resolver rather than using its own, hence it being OS-dependent.
Wünsch mir mehr java videos von dir. Weiß du machst nicht viel mit Java, aber es ist relevanter für Programmierer (weil beliebte Sprache). Keep up the good Content junge
How can you inject your code via this localhost# URLs though? You say "the connection worked" for the other dude, but the connection to what? There clearly can't be a doman like localhost# - so how did he actually inject something? What did the DNS resolve and how could it resolve anything at all? o_O
but woudn't the remote code execution requre that somone actually registers the localhost# domain witch is impossible since it's invalid. Even if someone is running macos and it parses the invalid hostname the dns server shoudn't return anything since the hostname is still invalid. So this is actully not exploitable unless the DNS server is also vunerable or the attacker controls the dns server.
8:44 Nah, it doesn't look good, still seems overly complex. Too many nested ifs, this could use the early return pattern. Which you definitely should use whenever you do safety checks, you should return instantly when anything is wrong and do operations only when all is right.
Except when validating parts of input, i.e. Passwords. Because then you might craft yourself a nice little timing attack vector 😎. But I agree: in most scenarios, this should be the default.
@@kennichdendenn To be fair I don't remember anytime I needed to check passwords or api keys on my own directly. Always used framework/language builtins for that. But true, that's something to remember. Man, writing secure code is hard.
@@doktoracula7017 it is. When validating passwords, I've always just used a secure string compare function. Sadly, I needed to do so to support an older (but afaik still secure) login system, for which there was no pre-shipped library.
Really.. the people saying that you pronounced Log4j wrong are really acting like they didnt miss pronounce it wrong the first time they seen it... I literally see 'Log4j'.. not 'Log Forge'..
I'm just sad that such Exploits exist, why would anyone want to write their own stupid URI parser instead of using the native/built-in one that Is heavily relied on and tested very well ?
hey thanks for "scanning my minecraft server for a project" aka testing for log4j vulnerability on my private server w/o my permission- which is illegal by the way- i've banned your username X_senpai_ and i'm reporting the droplet you used to Digital Ocean.
LMAO "Log Forge" they probably say it like that cause it was mostly popularized on minecraft, and the "Forge" mod loader users were affected the most. Still it sounds fucking stupid
If a logging library has capability to parse expressions from log input. Whoever made that should be banned from programing ever again. The question lies elsewhere. Its a logging library. I expect it to know how write logs to console, file, or to dev null. Why it has lookups? Its clearly bloated. I have nothing against additional functionality. But if you really feel like logging library also have to know how to cook pancakes and fix cars make these features disabled by default, or in better case make them as plugins dustributed in separate jars So your stupidity wont even get into my classpath If you develop such bloated software you clearly failed as a project manager.
As a dev I never thought of security in such detail, but after watching this channel I have been practicing to analyse my code for vulnerability and avoid developing features that can be used as vulnerability in combination.
My favourite approach is to never make a magic function.
Thank you!
Problem is, 3rd party libs are full of magic.
@@TheBiggreenpig go old school, right things yourself, and curse yourself for being a dev like I do 😂
As a professional Java developer, I have never once heard someone call log4j "Log Forge". And considering the name literally means "Log for Java", I would argue anyone saying "Log Forge" is wrong. Although i suppose this is probably just another gif situation lol
Soft g to avoid confusion with gift, context then resolves any other potential confusion. Creator of the word also pronounces with soft g and says it should be a soft g, like the peanut butter. Pronounce with a soft g, and tell your friends.
4J is normal in the Java eco-system, and it means for Java.
So log4j would be pronounced as log for Java. Unless log4j is weird and uses other naming.
idk where people got Forge from
Yeah its literally Log Four J lol
@@tijsbeek8590 Probably related to Minecraft's Forge modding platform, since Log4j was heavily abused on minecraft servers
For anyone wondering how did they fix this difference in URI parsing behaviours -> They didn't. They just completely removed the whitelisting checks and restricted the whole shebang to only `java` scheme, so no LDAP URIs would pass through.
Now you just need to put a sudoedit payload in a log4j injection xD
This cracked me up, I am still waiting for his sudoedit series to conclude.
@Xeno The Strange I mean chaining exploits is a thing. Abusing log4j to get a local user perms and then the sudoedit vuln to escalate to root is a pretty reasonable scenario.
Great dive into this CVE, since I don’t work with Java I took this one as an FYI so it’s great to come across an easily digestible report on it. 😄
Missed opportunity to play some jazz while the fuzzer runs. Thanks for the video.
It's always worth it.. watching the content you make.
Great video, thank you!
I feel something is missing in the video - still nor clear why MacOS and alpine are affected? Maybe other operating systems? Why?
Probably because of different libc implementations that provide DNS resolution functionality.
From what I took from the video, it's the OS DNS resolver that's causing the issue, and that JNDI is just calling the system DNS resolver rather than using its own, hence it being OS-dependent.
Wünsch mir mehr java videos von dir. Weiß du machst nicht viel mit Java, aber es ist relevanter für Programmierer (weil beliebte Sprache). Keep up the good Content junge
This was a fruitful collaboration. Thanks @liveoverflow for the insights. It's always amazing to see top hackers coming together!
Jazzer looks neat - thanks for the reference.
Training to be a Java SDET and we're covering Log4J tomorrow..time to learn beforehand haha
18:10 'Z'ystems :D 🇩🇪
continuing the sentence they become system again :D
How can you inject your code via this localhost# URLs though? You say "the connection worked" for the other dude, but the connection to what? There clearly can't be a doman like localhost# - so how did he actually inject something? What did the DNS resolve and how could it resolve anything at all? o_O
Log(ing) for J(ava)
U had it right the first time.
but woudn't the remote code execution requre that somone actually registers the localhost# domain witch is impossible since it's invalid. Even if someone is running macos and it parses the invalid hostname the dns server shoudn't return anything since the hostname is still invalid. So this is actully not exploitable unless the DNS server is also vunerable or the attacker controls the dns server.
I really enjoyed this! Good video.
Just curious if you have noticed CVE-2017-5645? Probably very early sign of the novadays problems
This is extremely awesome
So, the bypass was found through a parser differential. But it only works on MacOS... Because of a parser differential 😳
8:44
Nah, it doesn't look good, still seems overly complex. Too many nested ifs, this could use the early return pattern. Which you definitely should use whenever you do safety checks, you should return instantly when anything is wrong and do operations only when all is right.
Except when validating parts of input, i.e. Passwords. Because then you might craft yourself a nice little timing attack vector 😎. But I agree: in most scenarios, this should be the default.
@@kennichdendenn To be fair I don't remember anytime I needed to check passwords or api keys on my own directly. Always used framework/language builtins for that. But true, that's something to remember.
Man, writing secure code is hard.
@@doktoracula7017 it is. When validating passwords, I've always just used a secure string compare function. Sadly, I needed to do so to support an older (but afaik still secure) login system, for which there was no pre-shipped library.
Man Man Man !!! You over simplified that initial statement. I understood this in half sleep.
Since when was log4j pronounced as log forge?
Thanks for another video! 😎
Really.. the people saying that you pronounced Log4j wrong are really acting like they didnt miss pronounce it wrong the first time they seen it... I literally see 'Log4j'.. not 'Log Forge'..
linux pwnkit what about it ?
thank you very much for this asome video .does Anthony Weems has a youtube channel?
When can we expect the complete 100% patch for this new log4j?
ThreadContext Maps are not log4j specific. It is a common concept and std library component in enterprise java developement.
11:51 which IDE is that?
Thats not an IDE, its sublime text
Great video, hopefully you will do the same with the iMessage zero-click exploit
9:00 it's that thing that happened in chrome, aka url parsing's jank sometimes
yay I was right
thanks for a new video ❤️❤️
I didn't know that Michael Cera had a hobby in informatic security
best man
Show this to all the apple stans thinking MacOS is safe from hacking
Logforge, what? :D
Good job bro 👍👍👍
Imagine having your PRs broadcast and scrutinized all across the web. Glad we're doing it, but that would be a pulse-raiser.
Awesome👍
didnt know michael cera is into programming
I thought this was Micheal Cera on the thumbnail
I'm just sad that such Exploits exist, why would anyone want to write their own stupid URI parser instead of using the native/built-in one that Is heavily relied on and tested very well ?
It is about knowledge. If the person implementing the new parser does not know about the URI parser then he needs to find a different route
@@namenlos4198 Or maybe about having a much simpler and therfore probably significantly faster parser - logging needs to be very performant after all.
4j is always pronounced as for-j
Yo, Michael Cera, what up?
Comment for the algorithm.
hey thanks for "scanning my minecraft server for a project" aka testing for log4j vulnerability on my private server w/o my permission- which is illegal by the way- i've banned your username X_senpai_ and i'm reporting the droplet you used to Digital Ocean.
it was kind of you to advertise your youtube channel on the way out /s
So what I'm hearing is "It's always DNS"
:)
this is endless loop off breaking by hackers and repairing Log4j by maintainers, 2 hackers are more dangerous together.
Hey Michael Cera
You say "hash sign", all I hear is pound key
In this context, it is correct to use the term "hash." It is the name for that part of a URL.
The best fix is just to delete log4j and Blacklist its inclusing.
Meiß log4j raus und sperr jvm build vom einfügen.
i want to learn from you
LMAO "Log Forge" they probably say it like that cause it was mostly popularized on minecraft, and the "Forge" mod loader users were affected the most. Still it sounds fucking stupid
Hi
fuzzing router
If a logging library has capability to parse expressions from log input. Whoever made that should be banned from programing ever again.
The question lies elsewhere.
Its a logging library. I expect it to know how write logs to console, file, or to dev null. Why it has lookups? Its clearly bloated.
I have nothing against additional functionality. But if you really feel like logging library also have to know how to cook pancakes and fix cars make these features disabled by default, or in better case make them as plugins dustributed in separate jars So your stupidity wont even get into my classpath
If you develop such bloated software you clearly failed as a project manager.
Nice video, very interesting! :)