Brand-New Log4Shell Attack Vector Threatens Local Hosts

2021-12-17 17:43

Defenders will once again be busy beavers this weekend: There's an alternative attack vector for the ubiquitous Log4j vulnerability, which relies on a basic Javascript WebSocket connection to trigger remote code-execution on servers locally, via drive-by compromise.

"This newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability," researchers said in a Friday note to Threatpost.

In the Log4j case, an attacker would make malicious requests via WebSockets to a potentially vulnerable localhost or local network server.

"WebSockets have previously been used for port-scanning internal systems, but this represents one of the first remote code execution exploits being relayed by WebSockets," said Jake Williams, co-founder and CTO at BreachQuest, via email.

Blumira used a basic Javascript WebSocket connection in the PoC, but Warner noted that "This does not necessarily need to be localhost; WebSockets allow for connection to any IP and easily could iterate private IP space."

Step 2: As the page loads, it will initiate a local WebSocket connection, connect to the vulnerable listening server, and connect out over an identified type of connection based on a Java Naming and Directory Interface connection string - a technique that's similar to WebSockets' localhost port-scanning used for fingerprinting hosts.

News URL

https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/

#attack #log4shell