-
Notifications
You must be signed in to change notification settings - Fork 185
add sending output format strings and templates lab #503
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Jason Shepherd <[email protected]>
@david-a-wheeler can you review Jason's submission please? |
I'm really sorry I didn't respond earlier, I somehow missed this. Thanks so much for taking a stab at this! I also like the approach of using a known CVE, I think that can be helpful. However, I don't think this lab best illustrates the ponit. This lab focuses on "Restrict the JNDI hostnames from which variables can be loaded." That's a lab on restricting the inputs that are allowed, and we already have a lab on that topic. What we need is a lab that mirrors Format Strings and Templates. Now the weird thing is that we DO use this specific vulnerability as an example of the problem. However, what I meant when referring to this CVE is that if an attacker can cause any reaction simply by causing text of the form Can you modify the material so it's clearer that allowing an attacker to trigger any unexpected code execution, just via data that's output or logged, is a problem? Perhaps log4shell is not the clearest example, sorry about that. |
</p><p> | ||
</p><h2>Background</h2> | ||
<p> | ||
In this exercise, we'll assume that out output template allows a user to specify a JNDI hostname |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@david-a-wheeler What If we updated the Background section by adding:
"Allowing a user to load variables is still a security risk, even from the same host. However the program requirements might dictate it's necessary. We're going to assume that in this exercise it's required to load variables from a JNDI server on the same host, and disabling such functionality is not an option."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense to me!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, it's not really dealing with the underlying issue I raised earlier.
The Log4J developers prior to CVE-2021-44228 allowed uses to load arbitrary variables (and code) from a remote JNDI server using the logging templates. This example comes from the patch for CVE-2021-44228, and is part of the fix for that vulnerability which restricts which JNDI server host one can load variables from.