Worklet to find and remove the JndiLookup.class from all jar files

  • 15 December 2021
  • 2 replies
  • 866 views
Snovak

Just a little something I whipped up after finding that the JndiLookup.class is not isolated to just the log4j jar files (ex. it’s inside of the MineCraft server jar)

Evaluation

#!/bin/bash
# 
# Author - Sam Novak
# Notes - after discovering that the JndiLookup.class files can exists in other jar files
# I decided the I better look at all of them. Fortunately, you can grep the class from a JAR
#

# Save IFS so we can grep folders with spaces in the name
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
# Install mlocate to make the evaluation script more efficient
if [ ! -f /usr/bin/locate ] && [ ! -f /bin/locate ]; then
    if [ -f /usr/bin/apt ]; then
      apt install mlocate -y &> /dev/null
    elif [ -f /usr/bin/yum ]; then
      yum install mlocate -y &> /dev/null
    elif [ -f /bin/yum ]; then
      yum install mlocate -y &> /dev/null
    fi
    updatedb
fi

for E in $(locate "*.jar"); do
    grep -i JndiLookup.class "$E"
    # only run if the class is present
    if [ $? -eq 0 ]; then
      IFS=$SAVEIFS
      # Found at least once, all is sadness.
      exit 1
    fi
done
IFS=$SAVEIFS
# Not found, all is good
exit 0

Remediation

 

#!/bin/bash
#
# Author - Sam Novak
# Notes - This has the potential to break things in production, and services/servers may
# need to be restarted in order to guarantee that the class is no longer loaded in memory.
#
# You must comment out the line below in order for this to run.
# Think of is as a 'safety switch'
exit 1


SAVEIFS=$IFS
IFS=$(echo -en "\n\b")

if [ ! -f /usr/bin/zip ] && [ ! -f /bin/zip ]; then
  # we need to install zip
    if [ -f /usr/bin/apt ]; then
      apt install zip -y &> /dev/null
    elif [ -f /usr/bin/yum ]; then
      yum install zip -y &> /dev/null
    elif [ -f /bin/yum ]; then
      yum install zip -y &> /dev/null
    fi
fi
# We already have a locate DB from the evaluation script
for E in $(locate "*.jar"); do
    grep -i JndiLookup.class "$E"
    # only run if the class is present
    if [ $? -eq 0 ]; then
        if zip -q -d "$E" org/apache/logging/log4j/core/lookup/JndiLookup.class &> /dev/null; then
            echo "Successfully removed JndiLookup.class. "
            echo "Successfully removed JndiLookup.class from $E" >> /var/log/log4shell_remediation.log
        else
            echo "Failed to remove JndiLookup.class. "
            echo "Failed to removed JndiLookup.class from $E" >> /var/log/log4shell_remediation.log
        fi
	fi
done
IFS=$SAVEIFS

 

2 replies

A
High-five!

Excellent! Couple of notes/TL;DRs for the crowd: just be aware that if locate isn't installed, this worklet will install mlocate, and if zip isn't installed it will install zip. Another fun tweak our engineer noted: if you want to output these results to the AX console, you would replace ">> /var/log/log4shell_remediation.log" with "2>&1". 

Nice work!:metal:

MichaelK-Automox
Userlevel 1

Awesome worklet, Sam!

Reply


Terms & ConditionsCookie settings