Worklet to find and remove the JndiLookup.class from all jar files

3 years ago
December 15, 2021
2 replies
901 views

Snovak
Rookie
1 reply

Just a little something I whipped up after finding that the JndiLookup.class is not isolated to just the log4j jar files (ex. it’s inside of the MineCraft server jar)

Evaluation

#!/bin/bash
# 
# Author - Sam Novak
# Notes - after discovering that the JndiLookup.class files can exists in other jar files
# I decided the I better look at all of them. Fortunately, you can grep the class from a JAR
#

# Save IFS so we can grep folders with spaces in the name
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
# Install mlocate to make the evaluation script more efficient
if [ ! -f /usr/bin/locate ] && [ ! -f /bin/locate ]; then
    if [ -f /usr/bin/apt ]; then
      apt install mlocate -y &> /dev/null
    elif [ -f /usr/bin/yum ]; then
      yum install mlocate -y &> /dev/null
    elif [ -f /bin/yum ]; then
      yum install mlocate -y &> /dev/null
    fi
    updatedb
fi

for E in $(locate "*.jar"); do
    grep -i JndiLookup.class "$E"
    # only run if the class is present
    if [ $? -eq 0 ]; then
      IFS=$SAVEIFS
      # Found at least once, all is sadness.
      exit 1
    fi
done
IFS=$SAVEIFS
# Not found, all is good
exit 0

Remediation

#!/bin/bash
#
# Author - Sam Novak
# Notes - This has the potential to break things in production, and services/servers may
# need to be restarted in order to guarantee that the class is no longer loaded in memory.
#
# You must comment out the line below in order for this to run.
# Think of is as a 'safety switch'
exit 1


SAVEIFS=$IFS
IFS=$(echo -en "\n\b")

if [ ! -f /usr/bin/zip ] && [ ! -f /bin/zip ]; then
  # we need to install zip
    if [ -f /usr/bin/apt ]; then
      apt install zip -y &> /dev/null
    elif [ -f /usr/bin/yum ]; then
      yum install zip -y &> /dev/null
    elif [ -f /bin/yum ]; then
      yum install zip -y &> /dev/null
    fi
fi
# We already have a locate DB from the evaluation script
for E in $(locate "*.jar"); do
    grep -i JndiLookup.class "$E"
    # only run if the class is present
    if [ $? -eq 0 ]; then
        if zip -q -d "$E" org/apache/logging/log4j/core/lookup/JndiLookup.class &> /dev/null; then
            echo "Successfully removed JndiLookup.class. "
            echo "Successfully removed JndiLookup.class from $E" >> /var/log/log4shell_remediation.log
        else
            echo "Failed to remove JndiLookup.class. "
            echo "Failed to removed JndiLookup.class from $E" >> /var/log/log4shell_remediation.log
        fi
	fi
done
IFS=$SAVEIFS

Anonymous
0 replies
3 years ago
December 17, 2021

Excellent! Couple of notes/TL;DRs for the crowd: just be aware that if locate isn't installed, this worklet will install mlocate, and if zip isn't installed it will install zip. Another fun tweak our engineer noted: if you want to output these results to the AX console, you would replace ">> /var/log/log4shell_remediation.log" with "2>&1".

Nice work! :metal:

MichaelK-Automox
Automox Employee
9 replies
3 years ago
December 17, 2021

Awesome worklet, Sam!

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Worklet to remove local admin permission from an account on a domain joined deviceicon

Local Powershell command works, but not via Automox.icon

Create Local User Account & Password (Non Domain Joined Machines)

What worklets would you like us to write next?

What's Up With Your Worklet? (working title)

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings