Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Last update: Jan 04, 2023

Overview

log4shell_finder

Detects Log4J versions on your file-system within any application that are vulnerable to CVE-2021-44228 and CVE-2021-45046. It is able to even find instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Python runs, too!

Currently reports log4j-core versions 2.12.2 and 2.17.0 as SAFE, 2.16.0 as NOTOKAY and all other versions as VULNERABLE (although it does report pre-2.0-beta9 as "MAYBESAFE").

log4j v1.x may appear in the log either as OLDUNSAFE or OLDSAFE depending on presence of JMSAppender.class.

Can correctly detect log4j inside executable spring-boot jars/wars, dependencies blended into uber jars, shaded jars, and even exploded jar files just sitting uncompressed on the file-system (aka *.class).

It can also handle shaded class files - extensions .esclazz (elastic) and .classdata (Azure).

Changelog

Version 1.6-20211221

added checks for JMSAppender.class within log4j v1.x instances

Version 1.5-20211220

fixed bug where --exclude-dirs skipped the given directory, but not it's subdirectories

Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.
findings can be saved in json format with --json-out <filename>
skip folder with --exclude-dirs DIR [DIR ...] parameter
use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Version 1.3-20211219

handle elastic's SHADED_CLASS_EXTENSION ".esclazz"

Version 1.2-20211219

get exact log4j version from pom.properties

Usage

Either run from a python interpreter or use the Windows/Linux binaries from the dist folder.

# ./test_log4shell.py --help
usage:  Type "test_log4shell.py --help" for more information
        On Windows "test_log4shell.py c:\ d:\"
        On Linux "test_log4shell.py /"

Searches file system for vulnerable log4j version.

positional arguments:
  folders               List of folders or files to scan. Use "-" to read list of files from stdin.

optional arguments:
  -h, --help            show this help message and exit
  --exclude-dirs DIR [DIR ...]
                        Don't search directories containing these strings (multiple supported)
  --same-fs             Don't scan mounted volumens.
  --json-out [FILENAME]
                        Save results to json file.
  -d, --debug           Increase verbosity, mainly for debugging purposes.

Does not require any extra python libraries.

Compile binaries

The binaries were produces with:

pip install pyinstaller
pyinstaller -F ./test_log4shell.py

Sample run

# ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,373] [INFO] [I] Starting ./test_log4shell.py ver. 1.6-20211220
[2021-12-21 11:16:43,408] [INFO] [I] Parameters: ./test_log4shell.py ../war/ --exclude-dirs /mnt --same-fs
[2021-12-21 11:16:43,416] [INFO] [I] 'hostname': '<redacted>', 'fqdn': '<redacted>', 'ip': '<redacted>', 'system': 'Linux', 'release': '5.4.0-58-generic', 'version': '#64-Ubuntu SMP Wed Dec 9 08:16:25 UTC 2020', 'machine': 'x86_64', 'cpu': 'x86_64'
[2021-12-21 11:16:43,416] [INFO] [I] Analyzing paths (could take a long time).
[2021-12-21 11:16:43,776] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-java-aws-lambda-layer-1.28.1.zip:elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,850] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/elastic-apm-agent-1.28.1.jar contains Log4J-2.12.1 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:43,916] [INFO] [+] [VULNERABLE] Package /home/hynek/war/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:44,288] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:44,335] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,557] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin.zip:apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:44,659] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,664] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,668] [INFO] [*] [MAYBESAFE] Package /home/hynek/war/log4j-samples/old-hits/log4j-core-2.0-beta2.jar contains Log4J-2.0-beta2 <= 2.0-beta8 (JndiLookup.class not present)
[2021-12-21 11:16:44,670] [INFO] [+] [OLDUNSAFE] Folder /home/hynek/war/log4j-samples/old-hits/log4j-1.2.17/org/apache/log4j contains Log4J-1.x <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:44,694] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.15.0.jar contains Log4J-2.15.0 == 2.15.0
[2021-12-21 11:16:44,706] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.9.1.jar contains Log4J-2.9.1 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,718] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.zip contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,725] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.0-beta9.jar contains Log4J-2.0-beta9 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,737] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:44,818] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/uber/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.5 >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:44,966] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/uber/expanded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.0-beta9 (< 2.10.0)
[2021-12-21 11:16:45,094] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/shaded/clt-1.0-SNAPSHOT.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:45,108] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/shaded/expanded/clt/shaded/l/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:45,150] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/log4j-samples/true-hits/exploded/2.12.1/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:46,054] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.zip:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:47,528] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.jar:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:48,999] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.ear:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:50,449] [INFO] [+] [VULNERABLE] Package /home/hynek/war/log4j-samples/true-hits/springboot-executable/spiff-0.0.1-SNAPSHOT.war:WEB-INF/lib/log4j-core-2.10.0.jar contains Log4J-2.10.0 >= 2.10.0
[2021-12-21 11:16:51,044] [INFO] [+] [NOTOKAY] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.16.0.jar contains Log4J-2.16.0 == 2.16.0
[2021-12-21 11:16:51,058] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/log4j-core-2.12.2.jar contains Log4J-2.12.2 == 2.12.2
[2021-12-21 11:16:51,223] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,266] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,477] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin.zip:apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,658] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-tests.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,681] [INFO] [-] [SAFE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar contains Log4J-2.17.0 >= 2.17.0
[2021-12-21 11:16:51,691] [INFO] [*] [STRANGE] Package /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/log4j-core-2.17.0-sources.jar contains pom.properties for Log4J-2.17.0, but classes missing
[2021-12-21 11:16:51,702] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/apache-log4j-2.17.0-bin/exploded/org/apache/logging/log4j/core contains Log4J-2.x >= 2.17.0
[2021-12-21 11:16:51,747] [INFO] [-] [SAFE] Folder /home/hynek/war/log4j-samples/false-hits/exploded/2.12.2/org/apache/logging/log4j/core contains Log4J-2.x == 2.12.2
[2021-12-21 11:16:51,813] [INFO] [+] [VULNERABLE] Package /home/hynek/war/BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:51,916] [INFO] [+] [VULNERABLE] Folder /home/hynek/war/BOOT-INF/lib/org/apache/logging/log4j/core contains Log4J-2.x >= 2.10.0
[2021-12-21 11:16:52,013] [INFO] [+] [VULNERABLE] Package /home/hynek/war/app/spring-boot-application.jar:BOOT-INF/lib/log4j-core-2.14.1.jar contains Log4J-2.14.1 >= 2.10.0
[2021-12-21 11:16:52,478] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-tests.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,507] [INFO] [+] [VULNERABLE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0.jar contains Log4J-2.14.0 >= 2.10.0
[2021-12-21 11:16:52,530] [INFO] [*] [STRANGE] Package /home/hynek/war/apache-log4j-2.14.0-bin/log4j-core-2.14.0-sources.jar contains pom.properties for Log4J-2.14.0, but classes missing
[2021-12-21 11:16:52,555] [INFO] [+] [OLDUNSAFE] Package /home/hynek/war/HelloLogging/target/whoiscrawler/WEB-INF/lib/log4j-1.2.17.jar contains Log4J-1.2.17 <= 1.2.17, JMSAppender.class found
[2021-12-21 11:16:52,556] [INFO] [I] Finished, found 18 vulnerable or unsafe log4j instances.

Comments

Several improvements to the scanner
Thanks for the scanner, it's great. As part of our use, we have made a few minor improvements to it, maybe they will be useful to everyone.

CVSS score change according to nvd.nist.gov

UTF8 patch, fixes problems on Windows systems with a non-UTF 8 locale installed in path

all new argument, for windows version (close to similar --same-fs on Linux) remove header to --cvs-out, it is not needed when you do multiple system scans, and then combine the file into one. For example, running on a host group (Windows) from a network drive with the parameter log4shell.exe all --csv-out and after scanning the collection to 1 report type *.csv > all.csv (for Windows) cat .csv > all.csv(for Linux)

some changes to cvs output, it becomes more convenient log4shell_1.22.2.6.zip
opened by trust1345 8
Doesn't scale well to multiple CPU cores
I've been running this on our AMD Threadripper 2990WX machine and since it took more than 5 minutes, I started to investigate why.

It looks like the disk is bored and only one CPU core is loaded with 100%, all other cores are also idling.

I didn't have a look at the source code but maybe a two-pass approach might speed things up:

Build a list of all files to be scanned. This probably cannot be parallelized much

Go through the list in several threads so it's not just one CPU core doing all the work
opened by jachstet-sea 5
Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this.

Thanks for implementing --csv-stats. It works a little differently than I expected. Is it possible to correct this. I liked the proposed implementation. 1 separate row for each host, instead of adding statistics to each row by adding extra columns (when the --csv-stats argument is specified). This approach is better than I originally suggested.

launched on https://github.com/HynekPetrak/log4shell-finder/commit/75cb4f129110f5da8e8132698ed2b52ad34c405c test_log4shell_1.2120220126.py all --csv-out --no-csv-header --no-error --csv-clean --csv-stats output2.csv output1.csv

Proposed format output1-expected.csv output2-expected.csv Also in the proposed output, I propose to slightly change the output of --csv-clean, for unification

thank you in advance.

opened by trust1345 4
Windows: "all" argument to scan all local drives doesn't work on pre-build binary

Hi,

I tried the pre-build windows binary from the dist Folder and realized that the all option to scan all local drives (https://github.com/HynekPetrak/log4shell-finder/commit/a5cfac0a1fd5678a8c144e59d0e862d274d08965) doesn't work, no drives where found, so nothing was scanned until I had to defined c:\ d:\ instead.

I tried to build the binary on my own with pyinstaller and was running into the same issue, by checking the code I assumed that there might be a problem with the win32api and win32file import so drives will become none.

At least for me it was necessary to run pyinstaller --hidden-import win32api --hidden-import win32file -F ./test_log4shell.py to enforce that those modules will be included in the binary. Afterwards the all option was working as expected, every available drives was found and scanned.

Cheers Dominik

opened by wombelix 3
CVE-2022-23307 (chainsaw) detection shouldn't depend on CVE-2022-23302 (jmssink)?

Hi,

the detection for CVE-2022-23307 was introduced in commit https://github.com/HynekPetrak/log4shell-finder/commit/b271f275547f2879ca21e57c38150c1fb1bf2c92 and later changed in commit https://github.com/HynekPetrak/log4shell-finder/commit/b04487e92dd361a9cbc98350f42878e884b2c735.

In the first commit, there was no dependency to any other CVE, in the second one the dependency to JMSSINK was added. As far I understand CVE-2022-23307 and based on my tests, this change / dependency avoids the detection in most cases and therefore should be reverted to the initial state?

Cheers Dominik

opened by wombelix 3
Please add support argument, for line in the csv report when nothing is found on host

1 line from the host with the verdict for example CLEAN. It will help for mass rolling scanning of hosts to have also a list of scanned hosts.

"2022-01-25 00:00:00","1.2120220125","192.192.192.192","localhost.localdomain","Linux","6.x86_64","x86_64","Package","CLEAN","","",""

opened by trust1345 3
Automatic generation of the output file name using the hostname_ip.csv template

FR For mass scanning of a host group by a scanner, it would be great if the name of the output file (when using some key) was generated automatically using the hostname_ip.csv template. This will allow you to collect all the received files into one directory (without thinking about the coincidence of file names) and executing, for example cat ./*.csv > report_all.csv to get a general report.

Thanks for the scanner.

opened by trust1345 3
FR add CSV output for massive scan

FR IIt would be great if there was a -c (csv output) option so that you could wrap the scanner in ansible wrapper and use it on a group of machines. Earlier we wrapped the scanner https://github.com/mergebase/log4j-detector but it doesn't keep up with updates a bit and runs slower (there are also problems with memory consumption). As a result, looks like this. This output is quite convenient for fast processing of a large group of hosts. I have attached an example file. In the attached file, the separator is "@", but you can use for example "," role1.4-output.csv

PS. I think it would also be a good idea to make an exception on all Linux hosts /proc by default, this will reduce the speed of scanning (and accessing swap, when touching /proc), but will not worsen its results.

Thanks for the scanner, it's the best.

opened by trust1345 3
Single binary for windows

For all versions of windows, you can make one common binary file. All versions of windows contain 32 subsystems, so such a binary file will work on all Windows systems.

In order to support all versions of windows from windows 7, you need to use version 3.7.9 to build with pyinstaller

opened by trust1345 2
Please add an argument, that will add to each line of the csv output ( --csv-out ) additional information

Please add an argument, that will add to each line of the csv output ( --csv-out ) information about the passed path argument, when the scanner starts, exclude path, and the time spent on scanning the host (even when the verdict is CLEAN), total scanned files and folders.

This information will be useful for analyzing the scanner's work statistics.

Example in attach. localhost_10.10.10.10.csv

opened by trust1345 1
Please add verdict for Log4J-1.1.1

When the scanner finds Log4J-1.1.1 the verdict turns out to be just an empty space. I think that you need to add a status that would indicate in such cases the need for manual verification, for example manual or add an existing CVE.

2019-06-19 10:10:10 1.2120220117 333.333.333.333 server.com Windows 2022 AMD64 Package ...\lib\log4j-core.jar contains Log4J-1.1.1 <= 1.2.17, JMSAppender.class not found 1.1.1

opened by trust1345 1

Skip reparse points on Windows

import ctypes
def isLink(path):
    if os.path.exists(path):
        if os.path.isdir(path):
            FILE_ATTRIBUTE_REPARSE_POINT = 0x0400
            attributes = ctypes.windll.kernel32.GetFileAttributesW(unicode(path))
            return (attributes & FILE_ATTRIBUTE_REPARSE_POINT) > 0
    return False

opened by HynekPetrak 0

Current scaner binary builds, using pyinstaller
Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Windows 32 bit version, should work on all versions of Windows OS (32-bit and 64-bit) both client and server, starting from w7 and above

Linux 32 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

Linux 64 bit version, (one binary file, does not require python to run) but there is a dependency on the glibc version on the system.

It may be useful to anyone.

Windows run example: test_log4shell_1.2120220209.exe all --csv-out --no-csv-header --csv-clean

Linux 32 bit run example: test_log4shell_1.2120220209.bin32 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

Linux 64 bit run example: test_log4shell_1.2120220209.bin64 / --exclude-dirs /proc --csv-out --no-csv-header --csv-clean

After the work is completed, a short-hostname_ip.csv file with the scan results will appear in the directory from which the file was run.

test_log4shell_1.2120220209_32.zip test_log4shell_1.2120220209_64.zip test_log4shell_1.2120220209_exe.zip
opened by trust1345 0
Please add support 3 CVE (log4j)
CVE-2017-5645

CVE-2021-42550

CVE-2020-9488

It is especially important to detect CVE-2021-42550

Maybe in the documentation (readme) such a table will be useful

| Detect | CVE | CVSSv3 | Severity | java | lib from | lib to | lib fix | | | :----- | :------------- | :----- | :------- | :---- | :--------- | :----------------------------- | :------------------ | :-- | | x | CVE-2021-44228 | 10,0 | Critical | 8 | 2.0-beta9 | 2.14.1 | 2.15.0 | | | - | CVE-2017-5645 | 9,8 | Critical | 7 | 2.0-alpha1 | 2.8.1 | 2.8.2 | | | x | CVE-2021-45046 | 9,0 | Critical | 7/8 | 2.0-beta9 | 2.15.0 excluding 2.12.2 | 2.12.2/2.16.0 | | | x | CVE-2021-4104 | 7,5 | High | - | 1.0 | 1.x | nofix | | | x | CVE-2021-44832 | 6,6 | Medium | 6/7/8 | 2.0-alpha7 | 2.17.0, excluding 2.3.2/2.12.4 | 2.3.2/2.12.4/2.17.1 | | | - | CVE-2021-42550 | 6,6 | Medium | - | 1.0 | 1.2.7 | 1.2.8 | | | x | CVE-2021-45105 | 5,9 | Medium | 6/7/8 | 2.0-beta9 | 2.16.0, excluding 2.12.3 | 2.3.1/2.12.3/2.17.0 | | | - | CVE-2020-9488 | 3,7 | Low | 7/8 | 2.0-alpha1 | 2.13.1 | 2.12.3/2.13.2 | |
opened by trust1345 29

Releases(v1.22)

v1.22(Feb 23, 2022)
Version 1.22-20220222

Added: Reading library version and name (log4j, log4j-core, reload4j) from MANIFEST.MF as well as from pom.properties

Performance improvements by additional 15%

Added: Autodetecting all local drives in mswin with all parameter

Added: --no-csv-header to omit csv header to allow easier merging of results from multiple hosts

Added: Detecting CVE-2017-5645 (9.8), CVE-2019-17571 (9.8), CVE-2022-23307 (8.1), CVE-2022-23305 (9.8), CVE-2022-23305 (9.8), CVE-2022-23302 (8.1), improved detection of CVE-2017-5645

Added: --threads parameter to manually tune number of scanning threads

Added: --cvs-clean parameter in order to write "CLEAN" line to csv output in case no log4j library detected

Added: --cvs-stats parameter in order to write "STATS" line to csv output with runtime in seconds and number of files and folders scanned

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64(6.60 MB)
test_log4shell-mswin32.exe(5.90 MB)
test_log4shell-mswin64.exe(7.46 MB)
v1.21(Jan 9, 2022)
Version 1.21-20220109

Fixed bug: --fix command in version 1.19 and 1.20 could corrupt .jar archives.

Performance improvement via multithreaded scanning

Fixed searching within extracted log4j folders on Windows

Removed mmap access due to incompatibility with Windows.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.18(Jan 7, 2022)
Version 1.18-20220107

Code readability and performance improvements

Added parameter --file-log [LOGFILE] to enable logging to log file, default is log4shell-finder.log.

Added parameter --progress [SEC] to enable progress reporting every SEC seconds, default is 10 seconds.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin32.zip(5.63 MB)
test_log4shell-mswin64.zip(7.17 MB)
1.17(Jan 5, 2022)
Version 1.17-20220105

Reworked status reporting, now listing all CVEs relevant for specific version of log4j.

Added --no-error to suppress file system error messages (e.g. Access Denied, corrupted zip archive).

Suppressed STRANGE status reporting by default - STRANGE are mainly source packages, that do not contain class binaries.

Added --strange to report also STRANGE instances.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.16(Dec 30, 2021)
Version 1.16

Fixed detection of 2.12.3 extracted

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.15(Dec 30, 2021)
Version 1.15

Added support for versions 2.3.2, 2.12.4 and 2.17.1

Reporting actual CVEs instead of VULNERABLE or NOTOKAY status

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.13(Dec 28, 2021)
Version 1.13

Do not use version 1.11 and 1.12. They may corrupt .jar archives with --fix command

Added additional possible "JAR" file extensions.

Fixed bug: --fix command could corrupt .jar archives.

minor fix: status for 2.12.2 as NOTOKAY

added --fix parameter with attempt to fix the vulnerability by renaming JndiLookup.class to JndiLookup.vulne. At the moment it can handle .class files on disk and within 1st level archives. Class cannot be renamed in archives imbedded in other archives (nested).

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.10(Dec 22, 2021)
Version 1.10-20211222

added detection of 2.12.3 and 2.3.1

added option to disable default logging to file --no-file-log

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.8(Dec 22, 2021)
added host information to the json file

possibility to save output to csv with --csv-out

if you omit file names for --json-out or --csv-out then the file name has a form: hostname_ipaddress.<csv|json>

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.6(Dec 21, 2021)
Version 1.6-20211221

added checks for JMSAppender.class within v1.x version

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.5(Dec 20, 2021)
Version 1.5-20211220

bugfix for --exlude-dirs

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.51 MB)
test_log4shell-mswin64.zip(7.17 MB)
v1.4(Dec 20, 2021)
Version 1.4-20211220

added option --same-fs to skip mounted volumes while scanning.

findings can be saved in json format with --json-out <filename>

skip folder with --exclude-dirs DIR [DIR ...] parameter

use - as folder name to source folder names from stdin, e.g. echo "/home" | test_log4shell.py -

Source code(tar.gz)
Source code(zip)
test_log4shel-mswin64l.zip(7.17 MB)
test_log4shell-linux64.zip(6.51 MB)
v1.3(Dec 19, 2021)

Version 1.3 - handle elastic packages with shaded class names.
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin64.zip(7.15 MB)
v1.2(Dec 19, 2021)
Version 1.2-20211219

now extracting exact version from pom.properties for jar/war.. packages.

Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)
1.1(Dec 19, 2021)

Version 1.1
Source code(tar.gz)
Source code(zip)
test_log4shell-linux64.zip(6.46 MB)
test_log4shell-mswin.zip(7.15 MB)

Owner

Hynek Petrak

GitHub Repository

A GitHub action for organizations that enables advanced security code scanning on all new repos

Advanced-Security-Enforcer What this repository does This code is for an active GitHub Action written in Python to check (on a schedule) for new repos

30 May 17, 2022

PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

PwdGen ( Password Generator ) is a Python Tkinter tool for generating secure 16 digit passwords. Installation Simply install requirements pip install

7 Jul 14, 2022

Implementation of an attack on a tropical algebra discrete logarithm based protocol

Implementation of an attack on a tropical algebra discrete logarithm based protocol This code implements the attack detailed in the paper: On the trop

3 Dec 30, 2021

Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)

Spring Cloud Gateway 3.0.7 & 3.1.1 Code Injection (RCE) CVE: CVE-2022-22947 CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)

35 Dec 28, 2022

ClusterFuzz is a scalable fuzzing infrastructure that finds security and stability issues in software.

ClusterFuzz ClusterFuzz is a scalable fuzzing infrastructure that finds security and stability issues in software. Google uses ClusterFuzz to fuzz all

4.9k Jan 08, 2023

Python Password Generator

This is a console-based version of a password generator written with Python. The program generates a password based on numbers of letters, numbers, and symbols specified by the user. This is a simple

1 Jan 24, 2022

一款Web在线自动免杀工具

一款利用加载器以及Python反序列化绕过AV的在线免杀工具因为打包方式的局限性，不能跨平台，若要生成exe格式的只能在Windows下运行本项目打包速度有点慢，提交后稍等一会开发环境及运行前端使用Bootstrap框架，后端使用Django框架。

172 Nov 28, 2022

ProxyLogon Pre-Auth SSRF To Arbitrary File Write

ProxyLogon Pre-Auth SSRF To Arbitrary File Write For Education and Research Usage: C:\python proxylogon.py mail.evil.corp lulz 117 Nov 28, 2022

Guess the password for Tik Tok accounts

Guess the password for Tik Tok accounts Tool features : You don't need proxies There is no captcha Running on a private api Combo T

32 Dec 25, 2022

A python package with tools to read and postprocess the output of the channel DNS-solver (davecats/channel), as well as its associated postprocessing tools.

Python tools for davecats/channel A python package with tools to read and postprocess the output of the channel dns solver, as well as its associated

1 Dec 13, 2021

Subdomain enumeration,Web scraping and finding usernames automation script written in python

12 Nov 22, 2022

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

3.5k Jan 09, 2023

A burp-suite plugin that extract all parameter names from in-scope requests

ParamsExtractor A burp-suite plugin that extract all parameters name from in-scope requests. You can run the plugin while you are working on the targe

29 Nov 09, 2022

An IDA pro python script to decrypt Qbot malware string

Qbot-Strings-Decrypter An IDA pro python script to decrypt Qbot malware strings.

6 Sep 01, 2022

Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers

Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers New Update : adding 'on-review' tag on an issue

13 Sep 19, 2021

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

webapp-wordlists This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version co

396 Jan 08, 2023

Script hecho en python para sacar la informacion del numero de telefono, Hecha con el API de numverify

5 Dec 03, 2022

An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.

TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several

40 Dec 29, 2022

OpenPort scanner GUI tool (CNMAP)

CNMAP-GUI- OpenPort scanner GUI tool (CNMAP) as you know it is the advanced tool to find open port, firewalls and we also added here heartbleed scanni

9 Mar 05, 2022

Make files with as many random bytes as you want

Lots o' Bytes 🔣 Make files with as many random bytes as you want! Use case Can be used to package malware that is normally small by making the downlo

1 Jan 13, 2022

Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Related tags

Overview

log4shell_finder

Changelog

Version 1.6-20211221

Version 1.5-20211220

Version 1.4-20211220

Version 1.3-20211219

Version 1.2-20211219

Usage

Compile binaries

Sample run

Comments

Built a scanner of the current version (1c14e73) using pyInstaller (one binary file, does not require python to run)

Releases(v1.22)

v1.22(Feb 23, 2022)

v1.21(Jan 9, 2022)

v1.18(Jan 7, 2022)

1.17(Jan 5, 2022)

v1.16(Dec 30, 2021)

v1.15(Dec 30, 2021)

v1.13(Dec 28, 2021)

v1.10(Dec 22, 2021)

v1.8(Dec 22, 2021)

v1.6(Dec 21, 2021)

v1.5(Dec 20, 2021)

v1.4(Dec 20, 2021)

v1.3(Dec 19, 2021)

v1.2(Dec 19, 2021)

1.1(Dec 19, 2021)