Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Last update: Jan 04, 2023

Overview

log4shell_finder

Detects Log4J versions on your file-system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Python runs, too!

Currently reports log4j-core versions 2.12.2 and 2.17.0 as SAFE, 2.16.0 as NOTOKAY and all other versions as VULNERABLE (although it does report pre-2.0-beta9 as "MAYBESAFE").

log4j v1.x may appear in the log either as OLDUNSAFE or OLDSAFE depending on presence of JMSAppender.class.

Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).

It can also handle shaded class files - extensions .esclazz (elastic) and .classdata (Azure).

Changelog

Version 1.6-20211221

added checks for JMSAppender.class within log4j v1.x instances

Version 1.5-20211220

fixed bug where --exclude-dirs skipped the given directory, but not it's subdirectories

Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.
findings can be saved in json format with --json-out <filename>
skip folder with --exclude-dirs DIR [DIR ...] parameter
use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Version 1.3-20211219

handle elastic's SHADED_CLASS_EXTENSION ".esclazz"

Version 1.2-20211219

get exact log4j version from pom.properties

Usage

Either run from a python interpreter or use the Windows/Linux binaries from the dist folder.

# ./test_log4shell.py --help
usage:  Type "test_log4shell.py --help" for more information
        On Windows "test_log4shell.py c:\ d:\"
        On Linux "test_log4shell.py /"

Searches file system for vulnerable log4j version.

positional arguments:
  folders               List of folders or files to scan. Use "-" to read list of files from stdin.

optional arguments:
  -h, --help            show this help message and exit
  --exclude-dirs DIR [DIR ...]
                        Don't search directories containing these strings (multiple supported)
  --same-fs             Don't scan mounted volumens.
  --json-out [FILENAME]
                        Save results to json file.
  -d, --debug           Increase verbosity, mainly for debugging purposes.

Does not require any extra python libraries.

Compile binaries

The binaries were produces with:

pip install pyinstaller
pyinstaller -F ./test_log4shell.py

Sample run

# ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,373] [INFO] [I] Starting ./test_log4shell.py ver. 1.6-20211220
[2021-12-21 11:16:43,408] [INFO] [I] Parameters: ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,416] [INFO] [I] 'hostname': '<redacted>', 'fqdn': '<redacted>', 'ip': '<redacted>', 'system': 'Linux', 'release': '5.4.0-58-generic', 'version': '#64-Ubuntu SMP Wed Dec 9 08:16:25 UTC 2020', 'machine': 'x86_64', 'cpu': 'x86_64'
[2021-12-21 11:16:43,416] [INFO] [I] Analyzing paths (could take a long time).
[2021-12-21 11:16:43,776] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-java-aws-lambda-layer-1.28.1.zip:elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,850] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,916] [INFO] [+] [VULNERABLE] Package /home/hynek/war/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:44,288] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:44,335] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,557] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,659] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,664] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,668] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.0-beta2 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:44,670] [INFO] [+] [OLDUNSAFE] Folder /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17/org/apache/log4j contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,694] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.15.0 == 2.15.0
[2021-12-21 11:16:44,706] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.9.1 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,718] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,725] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.0-beta9 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,737] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,818] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.5 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,966] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/uber/expanded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:45,094] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:45,108] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/shaded/expanded/clt/shaded/l/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:45,150] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:46,054] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:47,528] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:48,999] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:50,449] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:51,044] [INFO] [+] [NOTOKAY] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.16.0 == 2.16.0
[2021-12-21 11:16:51,058] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.12.2 == 2.12.2
[2021-12-21 11:16:51,223] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,266] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,477] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,658] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,681] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,691] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,702] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/exploded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.17.0
[2021-12-21 11:16:51,747] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j/core contains Log4J-2.x == 2.12.2
[2021-12-21 11:16:51,813] [INFO] [+] [VULNERABLE] Package /home/hynek/war/BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:51,916] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/BOOT-INF/lib/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:52,013] [INFO] [+] [VULNERABLE] Package /home/hynek/war/app/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:52,478] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,507] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:52,530] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,555] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/HelloLogging/target/whoiscrawler/WEB-INF/lib/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:52,556] [INFO] [I] Finished, found 18 vulnerable or unsafe log4j instances.

Comments

Several improvements to the scanner
Thanks for the scanner, it's great. As part of our use, we have made a few minor improvements to it, maybe they will be useful to everyone.

CVSS score change according to nvd.nist.gov

UTF8 patch, fixes problems on Windows systems with a non-UTF 8 locale installed in path

all new argument, for windows version (close to similar --same-fs on Linux) remove header to --cvs-out, it is not needed when you do multiple system scans, and then combine the file into one. For example, running on a host group (Windows) from a network drive with the parameter log4shell.exe all --csv-out and after scanning the collection to 1 report type *.csv > all.csv (for Windows) cat .csv > all.csv(for Linux)

some changes to cvs output, it becomes more convenient log4shell_1.22.2.6.zip
opened by trust1345 8
Doesn't scale well to multiple CPU cores
I've been running this on our AMD Threadripper 2990WX machine and since it took more than 5 minutes, I started to investigate why.

It looks like the disk is bored and only one CPU core is loaded with 100%, all other cores are also idling.

I didn't have a look at the source code but maybe a two-pass approach might speed things up:

Build a list of all files to be scanned. This probably cannot be parallelized much

Go through the list in several threads so it's not just one CPU core doing all the work
opened by jachstet-sea 5
Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this.

Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this. I liked the proposed implementation. 1 separate row for each host, instead of adding statistics to each row by adding extra columns (when the --csv-stats argument is specified). This approach is better than I originally suggested.

launched on https://github.com/HynekPetrak/log4shell-finder/commit/75cb4f129110f5da8e8132698ed2b52ad34c405c test_log4shell_1.2120220126.py all --csv-out --no-csv-header --no-error --csv-clean --csv-stats output2.csv output1.csv

Proposed format output1-expected.csv output2-expected.csv Also in the proposed output, I propose to slightly change the output of --csv-clean, for unification

thank you in advance.

opened by trust1345 4
Windows: "all" argument to scan all local drives doesn't work on pre-build binary

Hi,

I tried the pre-build windows binary from the dist Folder and realized that the all option to scan all local drives (https://github.com/HynekPetrak/log4shell-finder/commit/a5cfac0a1fd5678a8c144e59d0e862d274d08965) doesn't work, no drives where found, so nothing was scanned until I had to defined c:\ d:\ instead.

I tried to build the binary on my own with pyinstaller and was running into the same issue, by checking the code I assumed that there might be a problem with the win32api and win32file import so drives will become none.

At least for me it was necessary to run pyinstaller --hidden-import win32api --hidden-import win32file -F ./test_log4shell.py to enforce that those modules will be included in the binary. Afterwards the all option was working as expected, every available drives was found and scanned.

Cheers Dominik

opened by wombelix 3
CVE-2022-23307 (chainsaw) detection shouldn't depend on CVE-2022-23302 (jmssink)?

Hi,

the detection for CVE-2022-23307 was introduced in commit https://github.com/HynekPetrak/log4shell-finder/commit/b271f275547f2879ca21e57c38150c1fb1bf2c92 and later changed in commit https://github.com/HynekPetrak/log4shell-finder/commit/b04487e92dd361a9cbc98350f42878e884b2c735.

In the first commit, there was no dependency to any other CVE, in the second one the dependency to JMSSINK was added. As far I understand CVE-2022-23307 and based on my tests, this change / dependency avoids the detection in most cases and therefore should be reverted to the initial state?

Cheers Dominik

opened by wombelix 3
Please add support argument, for line in the csv report when nothing is found on host

1 line from the host with the verdict for example CLEAN. It will help for mass rolling scanning of hosts to have also a list of scanned hosts.

"2022-01-25 00:00:00","1.2120220125","192.192.192.192","localhost.localdomain","Linux","6.x86_64","x86_64","Package","CLEAN","","",""

opened by trust1345 3
Automatic generation of the output file name using the hostname_ip.csv template

FR For mass scanning of a host group by a scanner, it would be great if the name of the output file (when using some key) was generated automatically using the hostname_ip.csv template. This will allow you to collect all the received files into one directory (without thinking about the coincidence of file names) and executing, for example cat ./*.csv > report_all.csv to get a general report.

Thanks for the scanner.

opened by trust1345 3
FR add CSV output for massive scan

FR IIt would be great if there was a -c (csv output) option so that you could wrap the scanner in ansible wrapper and use it on a group of machines. Earlier we wrapped the scanner https://github.com/mergebase/log4j-detector but it doesn't keep up with updates a bit and runs slower (there are also problems with memory consumption). As a result, looks like this. This output is quite convenient for fast processing of a large group of hosts. I have attached an example file. In the attached file, the separator is "@", but you can use for example "," role1.4-output.csv

PS. I think it would also be a good idea to make an exception on all Linux hosts /proc by default, this will reduce the speed of scanning (and accessing swap, when touching /proc), but will not worsen its results.

Thanks for the scanner, it's the best.

opened by trust1345 3
Single binary for windows

For all versions of windows, you can make one common binary file. All versions of windows contain 32 subsystems, so such a binary file will work on all Windows systems.

In order to support all versions of windows from windows 7, you need to use version 3.7.9 to build with pyinstaller

opened by trust1345 2
Please add an argument, that will add to each line of the csv output ( --csv-out ) additional information

Please add an argument, that will add to each line of the csv output ( --csv-out ) information about the passed path argument, when the scanner starts, exclude path, and the time spent on scanning the host (even when the verdict is CLEAN), total scanned files and folders.

This information will be useful for analyzing the scanner's work statistics.

Example in attach. localhost_10.10.10.10.csv

opened by trust1345 1
Please add verdict for Log4J-1.1.1

When the scanner finds Log4J-1.1.1 the verdict turns out to be just an empty space. I think that you need to add a status that would indicate in such cases the need for manual verification, for example manual or add an existing CVE.

2019-06-19 10:10:10 1.2120220117 333.333.333.333 server.com Windows 2022 AMD64 Package ...\lib\log4j-core.jar contains Log4J-1.1.1 <= 1.2.17, JMSAppender.class not found 1.1.1

opened by trust1345 1

Skip reparse points on Windows

import ctypes
def isLink(path):
    if os.path.exists(path):
        if os.path.isdir(path):
            FILE_ATTRIBUTE_REPARSE_POINT = 0x0400
            attributes = ctypes.windll.kernel32.GetFileAttributesW(unicode(path))
            return (attributes & FILE_ATTRIBUTE_REPARSE_POINT) > 0
    return False

opened by HynekPetrak 0

Current scaner binary builds, using pyinstaller
Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Windows 32 bit version, should work on all versions of Windows OS (32-bit and 64-bit) both client and server, starting from w7 and above

Linux 32 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

Linux 64 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

It may be useful to anyone.

Windows run example: test_log4shell_1.2120220209.exe all --csv-out --no-csv-header --csv-clean

Linux 32 bit run example: test_log4shell_1.2120220209.bin32 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

Linux 64 bit run example: test_log4shell_1.2120220209.bin64 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

After the work is completed, a short-hostname_ip.csv file with the scan results will appear in the directory from which the file was run.

test_log4shell_1.2120220209_32.zip test_log4shell_1.2120220209_64.zip test_log4shell_1.2120220209_exe.zip
opened by trust1345 0
Please add support 3 CVE (log4j)
CVE-2017-5645

CVE-2021-42550

CVE-2020-9488

It is especially important to detect CVE-2021-42550

Maybe in the documentation (readme) such a table will be useful

| Detect | CVE | CVSSv3 | Severity | java | lib from | lib to | lib fix | | | :----- | :------------- | :----- | :------- | :---- | :--------- | :----------------------------- | :------------------ | :-- | | x | CVE-2021-44228 | 10,0 | Critical | 8 | 2.0-beta9 | 2.14.1 | 2.15.0 | | | - | CVE-2017-5645 | 9,8 | Critical | 7 | 2.0-alpha1 | 2.8.1 | 2.8.2 | | | x | CVE-2021-45046 | 9,0 | Critical | 7/8 | 2.0-beta9 | 2.15.0 excluding 2.12.2 | 2.12.2/2.16.0 | | | x | CVE-2021-4104 | 7,5 | High | - | 1.0 | 1.x | nofix | | | x | CVE-2021-44832 | 6,6 | Medium | 6/7/8 | 2.0-alpha7 | 2.17.0, excluding 2.3.2/2.12.4 | 2.3.2/2.12.4/2.17.1 | | | - | CVE-2021-42550 | 6,6 | Medium | - | 1.0 | 1.2.7 | 1.2.8 | | | x | CVE-2021-45105 | 5,9 | Medium | 6/7/8 | 2.0-beta9 | 2.16.0, excluding 2.12.3 | 2.3.1/2.12.3/2.17.0 | | | - | CVE-2020-9488 | 3,7 | Low | 7/8 | 2.0-alpha1 | 2.13.1 | 2.12.3/2.13.2 | |
opened by trust1345 29

Releases(v1.22)

v1.22(Feb 23, 2022)
Version 1.22-20220222

Added: Reading library version and name (log4j, log4j-core, reload4j) from MANIFEST.MF as well as from pom.properties

Performance improvements by additional 15%

Added: Autodetecting all local drives in mswin with all parameter

Added: --no-csv-header to omit csv header to allow easier merging of results from multiple hosts

Added: Detecting CVE-2017-5645 (9.8), CVE-2019-17571 (9.8), CVE-2022-23307 (8.1), CVE-2022-23305 (9.8), CVE-2022-23305 (9.8), CVE-2022-23302 (8.1), improved detection of CVE-2017-5645

Added: --threads parameter to manually tune number of scanning threads

Added: --cvs-clean parameter in order to write "CLEAN" line to csv output in case no log4j library detected

Added: --cvs-stats parameter in order to write "STATS" line to csv output with runtime in seconds and number of files and folders scanned

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64(6.60 MB)
test_log4shell-mswin32.exe(5.90 MB)
test_log4shell-mswin64.exe(7.46 MB)
v1.21(Jan 9, 2022)
Version 1.21-20220109

Fixed bug: --fix command in version 1.19 and 1.20 could corrupt .jar archives.

Performance improvement via multithreaded scanning

Fixed searching within extracted log4j folders on Windows

Removed mmap access due to incompatibility with Windows.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.18(Jan 7, 2022)
Version 1.18-20220107

Code readability and performance improvements

Added parameter --file-log [LOGFILE] to enable logging to log file, default is log4shell-finder.log.

Added parameter --progress [SEC] to enable progress reporting every SEC seconds, default is 10 seconds.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
1.17(Jan 5, 2022)
Version 1.17-20220105

Reworked status reporting, now listing all CVEs relevant for specific version of log4j.

Added --no-error to suppress file system error messages (e.g. Access Denied, corrupted zip archive).

Suppressed STRANGE status reporting by default - STRANGE are mainly source packages, that do not contain class binaries.

Added --strange to report also STRANGE instances.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.16(Dec 30, 2021)
Version 1.16

Fixed detection of 2.12.3 extracted

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.15(Dec 30, 2021)
Version 1.15

Added support for versions 2.3.2, 2.12.4 and 2.17.1

Reporting actual CVEs instead of VULNERABLE or NOTOKAY status

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.13(Dec 28, 2021)
Version 1.13

Do not use version 1.11 and 1.12. They may corrupt .jar archives with --fix command

Added additional possible "JAR" file extensions.

Fixed bug: --fix command could corrupt .jar archives.

minor fix: status for 2.12.2 as NOTOKAY

added --fix parameter with attempt to fix the vulnerability by renaming JndiLookup.class to JndiLookup.vulne. At the moment it can handle .class files on disk and within 1st level archives. Class cannot be renamed in archives imbedded in other archives (nested).

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.10(Dec 22, 2021)
Version 1.10-20211222

added detection of 2.12.3 and 2.3.1

added option to disable default logging to file --no-file-log

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.8(Dec 22, 2021)
added host information to the json file

possibility to save output to csv with --csv-out

if you omit file names for --json-out or --csv-out then the file name has a form: hostname_ipaddress.<csv|json>

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.6(Dec 21, 2021)
Version 1.6-20211221

added checks for JMSAppender.class within v1.x version

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.5(Dec 20, 2021)
Version 1.5-20211220

bugfix for --exlude-dirs

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.4(Dec 20, 2021)
Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.

findings can be saved in json format with --json-out <filename>

skip folder with --exclude-dirs DIR [DIR ...] parameter

use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Source code(tar.gz)
Source code(zip)
test_log4shel-mswin64l.zip(7.17 MB)
test_log4shell-linux64.zip(6.51 MB)
v1.3(Dec 19, 2021)

Version 1.3 - handle elastic packages with shaded class names.
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin64.zip(7.15 MB)
v1.2(Dec 19, 2021)
Version 1.2-20211219

now extracting exact version from pom.properties for jar/war.. packages.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)
1.1(Dec 19, 2021)

Version 1.1
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)

Owner

Hynek Petrak

GitHub Repository

Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

0 Feb 07, 2022

Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

RouterOS Scanner Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router. T

823 Dec 21, 2022

Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

jolokia-exploitation-toolkit Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints. Core concept Jolokia is a protocol br

194 Jan 01, 2023

Cobalt Strike Beacon configuration extractor and parser.

Cobalt Strike Configuration Extractor and Parser Overview Pure Python library and set of scripts to extract and parse configurations (configs) from Co

102 Dec 18, 2022

Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

9 Nov 26, 2022

AMC- Automatic Media Access Control [MAC] Address Spoofing Tool

AMC (Automatic Media Access Control [MAC] Address Spoofing tool), helps you to protect your real network hardware identity. Each entered time interval your hardware address was changed automatically.

14 Dec 23, 2022

pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

pybotnet A Python Library for building botnet , trojan or backdoor for windows and linux with Telegram control panel Disclaimer: Please note that this

181 Jan 02, 2023

A Simple File Encryptor/Decryptor

Ec: A Simple File Encryptor/Decryptor This has been made for educational reasons only, any constructive criticism/advice/comments are welcome! Also, p

1 Dec 10, 2021

Simple script for looping a Denial Of Service (DoS) attack over one single mac address in range

Bluetooth Simple Denial Of Service (DoS) Legal Note This project is made only for educational purposes and for helping in Proofs of Concept. The autho

1 Jan 09, 2022

Fast and easy way to rollout on multiple GitLab project file a particular content.

Volatile Fast and easy way to rollout on multiple GitLab project file a particular content. Why ? After looking for a tool to simply enforce a develop

4 Jan 17, 2022

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

39 Dec 10, 2022

Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Automated tool to exploit basic buffer overflow (remotely or locally) & (x32 or x64)

5 Oct 09, 2022

macOS persistence tool

PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cy

212 Dec 29, 2022

Trustme: #1 quality TLS certs while you wait

trustme: #1 quality TLS certs while you wait You wrote a cool network client or server. It encrypts connections using TLS. Your test suite needs to ma

479 Dec 27, 2022

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

20 Nov 11, 2022

Ethereum transaction decoder (community version).

EthTx Community Edition Community version of EthTx transaction decoder Local environment For local instance, you need few things: Depending on your di

240 Dec 21, 2022

This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

30 Nov 22, 2022

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you.

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you. Although it may not work with high degrees of obfuscation, it's a pretty nice tool to help you even if it's j

3 May 01, 2022

A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

Dumpulator-IDA Currently proof-of-concept This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from

9 Sep 21, 2022

Virus-Builder - This tool will generate a virus that can only destroy Windows computer

Virus-Builder - This tool will generate a virus that can only destroy Windows computer. You can also configure to auto run in usb drive

16 Dec 30, 2022

Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Related tags

Overview

log4shell_finder

Changelog

Version 1.6-20211221

Version 1.5-20211220

Version 1.4-20211220

Version 1.3-20211219

Version 1.2-20211219

Usage

Compile binaries

Sample run

Comments

Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Releases(v1.22)

v1.22(Feb 23, 2022)

v1.21(Jan 9, 2022)

v1.18(Jan 7, 2022)

1.17(Jan 5, 2022)

v1.16(Dec 30, 2021)

v1.15(Dec 30, 2021)

v1.13(Dec 28, 2021)

v1.10(Dec 22, 2021)

v1.8(Dec 22, 2021)

v1.6(Dec 21, 2021)

v1.5(Dec 20, 2021)

v1.4(Dec 20, 2021)

v1.3(Dec 19, 2021)

v1.2(Dec 19, 2021)

1.1(Dec 19, 2021)