Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Log4Shell and Log::Log4perl

by Perlbotics (Bishop)
on Dec 24, 2021 at 18:51 UTC ( #11139874=note: print w/replies, xml ) Need Help??


in reply to Log4Shell and Log::Log4perl

Although Java is not directly involved, I think it's noteworthy that Log::Log4perl offers code execution while reading configuration files. This might be an entry point for an attacker, although not as serious as Log4Shell since it requires access to the Log4perl configuration files while Log4Shell requires just lazy or no input validation.

#!/usr/bin/env perl use strict; use warnings; use Log::Log4perl; sub some_quote { qq{I solemnly swear that I am up to no good.\n} }; #-- this would be the content of a manipulated log4perl configuration +file my $conf = q( #-- this could be the content of a configuration file ... log4perl.category.Foo.Bar = INFO, Screen log4perl.appender.Screen = Log::Log4perl::Appender::Sc +reen log4perl.appender.Screen.stderr = 0 log4perl.appender.Screen.layout = \ sub { \ print some_quote(); system("date"); \ return "Log::Log4perl::Layout::SimpleLayout"; \ } ); ## Log::Log4perl::Config->allow_code(0); #-- would have disabled code +execution Log::Log4perl::init( \$conf ); my $logger = Log::Log4perl::get_logger('Foo::Bar'); $logger->info("Mischief managed.");

Output:

Output: I solemnly swear that I am up to no good. Fri Dec 24 19:33:09 CET 2021 INFO - Mischief managed.

This feature can be disabled (see FAQ) using:

Log::Log4perl::Config->allow_code(0);

Replies are listed 'Best First'.
Re^2: Log4Shell and Log::Log4perl
by etj (Hermit) on Dec 24, 2021 at 19:23 UTC
    If you can modify the config, you can modify the rest of the application. This doesn't seem like a meaningful point in discussing possible security flaws in any library?

      As noted in the docs it's possible to disable this behavior with:

      Log::Log4perl::Config->allow_code(0);

      The cake is a lie.
      The cake is a lie.
      The cake is a lie.

        As noted in the docs it's possible to disable this behavior with:

        Log::Log4perl::Config->allow_code(0);

        So it's insecure by default. Not nice.

        And the same is true for the next documented feature, Log::Log4perl::Config->allowed_code_ops(...). Quoting the documentation:

        By default, a value of '1' is assumed, which does a normal 'eval' without any restrictions.

        Insecure by default, you have to lock it down explicitly. Again, not nice.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

      If you can modify the config, you can modify the rest of the application.
      True in Perl, Python, Javascript etc., not necessary in Java, C++, etc. - or at least harder. It boils down to proper access permissions and running the application always with least privileges.

      The core of Log4Shell is the unexpected or little known behaviour of the library to contact remote services. Usually, I would expect from a configuration file to hold static read only data, not fractions of code that could be executed - and that's also unexpected or little known Log::Log4perl behaviour.

        True in Perl

        Do we agree that Log::Log4perl is Perl, though?

        unexpected or little known Log::Log4perl behaviour

        This doesn't seem to acknowledge your previous point that it's true in Perl.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11139874]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (3)
As of 2022-05-29 12:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (101 votes). Check out past polls.

    Notices?