漏洞产生的原因,在于 Log4j2 允许 JNDI 任意连接服务器,在 org.apache.logging.log4j.core.lookup.JndiLookup#lookup 中,代码如下:
@Override
public String lookup(final LogEvent event, final String key) {
if (key == null) {
return null;
}
final String jndiName = convertJndiName(key);
try (final JndiManager jndiManager = JndiManager.getDefaultManager()) {
return Objects.toString(jndiManager.lookup(jndiName), null);
} catch (final NamingException e) {
LOGGER.warn(LOOKUP, "Error looking up JNDI resource [{}].", jndiName, e);
return null;
}
}
该代码只有在 log.info("{}", "${jndi:xxxx/xx}")时会触发。
还有就是${java:vm}会输出虚拟机信息。
具体原因是因为org.apache.logging.log4j.core.lookup.JavaLookup#lookup,会输出一些系统相关信息。
前面简单了解了字节码增强技术,这里可以想到如果执行到了lookup方法的时候就直接返回不行了么。我们来看下实战。
演示创建JndiLookupActivation
package org.apache.skywalking.apm.plugin.custom;
import net.bytebuddy.description.method.MethodDescription;
import net.bytebuddy.matcher.ElementMatcher;
import org.apache.skywalking.apm.agent.core.plugin.interceptor.ConstructorInterceptPoint;
import org.apache.skywalking.apm.agent.core.plugin.interceptor.InstanceMethodsInterceptPoint;
import org.apache.skywalking.apm.agent.core.plugin.interceptor.enhance.ClassInstanceMethodsEnhancePluginDefine;
import org.apache.skywalking.apm.agent.core.plugin.match.ClassMatch;
import org.apache.skywalking.apm.agent.core.plugin.match.MultiClassNameMatch;
import static net.bytebuddy.matcher.ElementMatchers.named;
public class JndiLookupActivation extends ClassInstanceMethodsEnhancePluginDefine {
private static final String INTERCEPT_CLASS = "org.apache.skywalking.apm.plugin.custom.JndiLookupMethodInterceptor";
private static final String ENHANCE_CLASS = "org.apache.logging.log4j.core.lookup.JndiLookup";
private static final String ENHANCE_CLASS_2 = "org.apache.logging.log4j.core.lookup.JavaLookup";
private static final String ENHANCE_METHOD = "lookup";
@Override
public ConstructorInterceptPoint[] getConstructorsInterceptPoints() {
return new ConstructorInterceptPoint[0];
}
@Override
public InstanceMethodsInterceptPoint[] getInstanceMethodsInterceptPoints() {
return new InstanceMethodsInterceptPoint[]{
new InstanceMethodsInterceptPoint() {
@Override
public ElementMatcher getMethodsMatcher() {
return named(ENHANCE_METHOD);
}
@Override
public String getMethodsInterceptor() {
return INTERCEPT_CLASS;
}
@Override
public boolean isOverrideArgs() {
return true;
}
}
};
}
@Override
protected ClassMatch enhanceClass() {
return MultiClassNameMatch.byMultiClassMatch(ENHANCE_CLASS_2, ENHANCE_CLASS);
}
}
创建JndiLookupMethodInterceptor
package org.apache.skywalking.apm.plugin.custom;
import org.apache.skywalking.apm.agent.core.plugin.interceptor.enhance.EnhancedInstance;
import org.apache.skywalking.apm.agent.core.plugin.interceptor.enhance.InstanceMethodsAroundInterceptor;
import org.apache.skywalking.apm.agent.core.plugin.interceptor.enhance.MethodInterceptResult;
import java.lang.reflect.Method;
public class JndiLookupMethodInterceptor implements InstanceMethodsAroundInterceptor {
@Override
public void beforeMethod(EnhancedInstance objInst, Method method, Object[] allArguments, Class[] argumentsTypes,
MethodInterceptResult result) throws Throwable {
result.defineReturnValue(null);
}
@Override
public Object afterMethod(EnhancedInstance objInst, Method method, Object[] allArguments, Class[] argumentsTypes,
Object ret) throws Throwable {
return ret;
}
@Override
public void handleMethodException(EnhancedInstance objInst, Method method, Object[] allArguments,
Class[] argumentsTypes, Throwable t) {
}
}
在skywalking-plugin.def配置
jndi-look-up-1.0.x=org.apache.skywalking.apm.plugin.custom.JndiLookupActivation
给代码配上agent
-javaagent:/Users/qinfuxiang/IdeaProjects/skywalking-java/skywalking-agent/skywalking-agent.jar -Dskywalking.agent.service_name=demo -Dskywalking.collector.backend_service=127.0.0.1:11800
启动在重新试下
