search

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
638 stars 98 forks source link

Simple test using sample files outputs no status #66

Open donmontalvo opened 2 years ago

donmontalvo commented 2 years ago

Testing sample files, getting strange "Not actually a zip!?! (no magic number)" line endings, instead of status.:

testuser:log4j-detector testuser$ java -jar log4j-detector-2021.12.20.jar ./test-files/ -- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while). -- Note: specify the '--verbose' flag to have every file examined printed to STDERR. -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-1.1.3.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-1.2.17.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.0-beta2.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.0-beta9.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.10.0.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.10.0.zip - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.15.0.jar - Not actually a zip!?! (no magic number) -- Problem: /Users/testuser/Desktop/log4j-detector/test-files/log4j-core-2.9.1.jar - Not actually a zip!?! (no magic number) -- No vulnerable Log4J 2.x samples found in supplied paths: [./test-files/] -- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 ! :-) testuser:log4j-detector testuser$

juliusmusseau commented 2 years ago

How did you get the test-files?

I am maintaining a collection of test-files here, too, by the way: https://github.com/mergebase/log4j-samples

donmontalvo commented 2 years ago

Downloaded from your repo. :)

rgmz commented 2 years ago

@donmontalvo Can you provide some more information about your setup? I can't reproduce this with either 2021.12.20 or 2021.12.22.

$ git clone https://github.com/mergebase/log4j-samples.git
$ java -jar log4j-detector-2021.12.20.jar log4j-samples/
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/tmp/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j contains Log4J-2.x   >= 2.12.2 _SAFE_
/tmp/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.x   >= 2.12.2 _SAFE_
/tmp/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.x   == 2.16.0 _OKAY_
/tmp/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_
/tmp/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_
/tmp/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.x   <= 2.0-beta8 _POTENTIALLY_SAFE_ (Did you remove JndiLookup.class?)
/tmp/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.x   == 2.15.0 _OKAY_
/tmp/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
/tmp/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip!/WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_
/tmp/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x   >= 2.0-beta9 (< 2.10.0) _VULNERABLE_
juliusmusseau commented 2 years ago

Did you click on them before downloading them?

I've noticed a problem with Github where people right-click the "file-1.2.3.jar" links like this: "https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar". It seems to download as a jar file, but it's not. It's an html file.

It's important when downloading to make sure the URL has the word "/raw/" in it, like so:

https://github.com/mergebase/log4j-samples/raw/master/true-hits/log4j-core-2.15.0.jar

rgmz commented 2 years ago

I've noticed a problem with Github where people right-click download links like this: "https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar". It seems to download as a jar file, but it's not. It's an html file.

I think you're right:

$ java -jar log4j-detector-2021.12.20.jar log4j-core-2.15.0.jar 
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- Problem: /tmp/log4j-core-2.15.0.jar - Not actually a zip!?! (no magic number)
-- No vulnerable Log4J 2.x samples found in supplied paths: [log4j-core-2.15.0.jar]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 !  :-)
donmontalvo commented 2 years ago

I always click the URL to be taken to the downloadable jar file. No different from what I did with previous versions. Seems to be working now.

donmontalvo commented 2 years ago

Spoke too soon. It's giving strange output on ZIP files.

image

rgmz commented 2 years ago

Spoke too soon. It's giving strange output on ZIP files.

I think that's related to #56

juliusmusseau commented 2 years ago

Try right-click downloading this: https://github.com/mergebase/log4j-samples/blob/master/true-hits/log4j-core-2.10.0.jar (it will be corrupt).

Whereas if you left-click on it, you arrive here:

jar

From there you can right-click the little [Download] button on the far right, and then it works.

Are you able to open up the corrupt files you downloaded using zip? Or "vi" (which should show html). Or hexdump ?

donmontalvo commented 2 years ago

That's where I go to download the file, using the Download button.