Looking to somehow run this EXE on all our Windows systems remotely and then somehow aggregate all the results and parse looking for findings.. Any work on possibly implementing this? Thanks for all the hard work!

Your doco says python 3.6+ but you're using zipfile.Path that wasn't introduced until 3.8. Just FYI. So this can't be used on any RHEL boxes without custom python installs.

Hi,

One of my servers spits out an error. I've replaced the servername and username.

My first wild guess is that the path is too long and the application can't handle that. But that's just a wild guess on the first glance at the path. Do note that the broken lines is copied as-is from the output I got.

Traceback (most recent call last):
    + CategoryInfo          : NotSpecified: (Traceback (most recent call last)::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : _<servername>_
Traceback (most recent call last):
    + CategoryInfo          : NotSpecified: (Traceback (most recent call last)::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : _<servername>_

  File "log4j-finder.py", line 298, in <module>
  File "log4j-finder.py", line 298, in <module>

  File "log4j-finder.py", line 264, in main
  File "log4j-finder.py", line 264, in main

  File "pathlib.py", line 1193, in open
  File "pathlib.py", line 1193, in open

  File "pathlib.py", line 1046, in _opener
  File "pathlib.py", line 1046, in _opener

FileNotFoundError
FileNotFoundError
:
:
[Errno 2] No such file or directory: 'C:\\Documents and Settings\\_<username>_\\AppData\\Local\\Application Data\\Application
 Data\\Application Data\\Application Data\\Application Data\\Application Data\\Application Data\\Application Data\\Appli
cation Data\\Temp\\tmphc250ssu\\org\\apache\\logging\\log4j\\core\\net\\JndiManager.class'
[Errno 2] No such file or directory: 'C:\\Documents and Settings\\_<username>_\\AppData\\Local\\Application Data\\Application Data\\Application Data\\Application Data\\App
lication Data\\Application Data\\Application Data\\Application Data\\Application Data\\Temp\\tmphc250ssu\\org\\apache\\logging\\log4j\\core\\net\\JndiManager.class'
NotSpecified: (:) [], RemoteException
NotSpecified: (:) [], RemoteException
[
[
3189
3189
7
7
2] Failed
2] Failed
NotSpecified: (:) [], RemoteException
NotSpecified: (:) [], RemoteException
to execute
to execute
NotSpecified: (:) [], RemoteException
NotSpecified: (:) [], RemoteException
script l
script l
o
o
g4j-finder
g4j-finder

• WHAT ? One-liner output for each discovered log4j-core-2.x.jar file.

[[email protected] log4j-finder]$ sudo ./dist/log4j-finder -bq  /tmp
$HOSTNAME [shorter timestamp ] VULNERABLE: /tmp/apache-log4j-2.8-bin/log4j-core-2.8.jar -> org/apache/logging/log4j/core/net/JndiManager.class [415c13e7c8505fb056d540eac29b72fa: log4j 2.7 - 2.8.1]
[[email protected] log4j-finder]$

• WHY ? So that it is better used with CM tool like saltstack/ansible tools. -b option to exclude banner is still too much verbose for me.

[[email protected] log4j-finder]$ sudo ./dist/log4j-finder -bq  /tmp
usage: log4j-finder [-h] [-v] [-n] [-b] [PATH ...]
log4j-finder: error: argument -b/--no-banner: ignored explicit argument 'q'
[[email protected] log4j-finder]$ sudo ./dist/log4j-finder -b  /tmp
[2021-12-16 20:55:05.573146] Scanning: /tmp
[2021-12-16 20:55:05.596662] VULNERABLE: /tmp/apache-log4j-2.8-bin/log4j-core-2.8.jar -> org/apache/logging/log4j/core/net/JndiManager.class [415c13e7c8505fb056d540eac29b72fa: log4j 2.7 - 2.8.1]
[2021-12-16 20:55:05.679576] Finished scan, elapsed time: 0.11 seconds

Summary:
 Processed 291 files and 23 directories
 Scanned 44 files
  Found 1 vulnerable files

Elapsed time: 0.11 seconds
[[email protected] log4j-finder]$

Kaspersky Anti-Virus found this on .exe file

Type: Cheval de Troie Nom: Trojan-Downloader.Win32.Bitser.cue Exactitude: Exactement Niveau de menace: Élevé Type d'objet: Fichier Nom de l'objet: log4j-finder.exe Chemin de l'objet: *********** MD5: 0E08555A17CA3E08D02DBD4CFB87C1AA Raison: Consigné dans le rapport

Kind regards. Jipi69

I think the documentation should explicitly mention that only JAR, EAR and WAR files are scanned.

For example, often a rolled out software comes in the form of a ZIP file or RAR, TAR, TAR.GZ (TGZ), TAR.BZ2 or platform-specific files types like an extractable EXE or MSI files.

Other programming languages use ZIP the file format but with a different suffix as an archive format as well, e.g. Python uses the WHL suffix.

Such archive files might contain Java classes as well, probably wrapped in *.JAR archives inside the outer archive.

These file types will not be scanned and I think this should be mentioned.

Hello Team,

Thanks for developing this tool. I was trying to run it on my PC(windows), just installed python and ran it as explained by you, however, I am seeing a lot of access denied(even after opening cmd as admin and running if from there).

Is there a way to give it privilges?

@yunzheng : you use standard path libraries for the lookups of files in zip files: this approach is incorrect.

On windows the Exception will always be hit becasue the path for lookup of the class gets passed in the wrong format:

'org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class'

rather than

'org/apache/logging/log4j/core/lookup/JndiLookup.class'

And since you have defaulted to setting has_lookup = False, VULNERABLE jars are being labeled PATCHED.

This is very bad if people using windows are to rely on your tool...

The behavior is inconsistent across your codebase... this is OK:

Furtheron it is not OK:

Following the official Apache Log4j 2.x mitigation regarding the removal of JndiLookup class, these JAR files will now show up as PATCHED.

More info regarding the removing of JndiLookup.class is described here: https://logging.apache.org/log4j/2.x/security.html

Reverts fox-it/log4j-finder#36

The old behaviour was actually correct, when there is a KeyError, it means no JndiLookup.class file is found. However the KeyError was also triggered due to non posix paths on Windows, that is now fixed in #37.

Because when created with 3.9 or 3.10 the binary will not work, and result in "api-ms-win-core-path-l1-1-0.dll is missing"

It says so on the download page of python.org, but it can't hurt to mention it.

(lower is obviously also possible, but 3.8.10 is easiest to use in this case)

Hello,

Thank you so much for providing the python script and binary. Are you able to release a new binary and signed version since the log4j version 2.17.1 is not recognized as clean ?

Thank you !

… in addition to stdout. Added option to then view stored results displaying saved color highlighting.

In other words not only are results displayed on the screen (stdout) in real time but are also saved in a file that can be viewed later with the same color highlighting. This is especially useful on Windows since piping to something like Tee loses color highlighting.

Quick + dirty multi-pass scan feature

• added multi-pass flag (skips zip files)
• added input flag (ingests list of zip files)
• added output flag (writes list of zip files)

[[email protected] tmp]# mount | grep /tmp
/dev/mapper/VolGroup01-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
[[email protected] tmp]# /srv/log4j-finder 
/srv/log4j-finder: error while loading shared libraries: libz.so.1: failed to map segment from shared object: Operation not permitted
[[email protected] tmp]# mount /tmp -o remount,exec
[[email protected] tmp]# mount | grep /tmp
/dev/mapper/VolGroup01-tmp on /tmp type xfs (rw,nosuid,nodev,relatime,seclabel,attr2,inode64,noquota)
[[email protected] tmp]# /srv/log4j-finder 
 __               _____  __         ___ __           __
|  |.-----.-----.|  |  ||__|______.'  _|__|.-----.--|  |.-----.----.
|  ||  _  |  _  ||__    |  |______|   _|  ||     |  _  ||  -__|   _|
|__||_____|___  |   |__||  |      |__| |__||__|__|_____||_____|__|
          |_____|      |___| v1.2.0 https://github.com/fox-it/log4j-finder

[2021-12-30 15:29:02] host Scanning: /
^C
Aborted!

this is not expected, especially not from a security scan utility, as noexec is set with a reason on /tmp mount point. It would be nice to provide a different tmp dir for the binary.

on RHEL6 I see:

[22407] Error loading Python lib '/tmp/_MEI7VUFgo/libpython3.7m.so.1.0': dlopen: /lib64/libc.so.6: version 'GLIBC_2.14' not found (required by /tmp/_MEI7VUFgo/libpython3.7m.so.1.0)

When I compile and install glibc-2.14 manually and export as an env variable, I get:

export LD_LIBRARY_PATH=/var/opt/glibc-2.14/lib && /tmp/log4j-finder -b
Traceback (most recent call last):
  File "log4j-finder.py", line 29, in <module>
  File "/root/.pyenv/versions/3.7.5/lib/python3.7/site-packages/PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module
  File "platform.py", line 116, in <module>
  File "/root/.pyenv/versions/3.7.5/lib/python3.7/site-packages/PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module
  File "subprocess.py", line 153, in <module>
ImportError: /var//opt/glibc-2.14/lib/libc.so.6: version `GLIBC_2.15' not found (required by /tmp/_MEIWmgHt6/select.cpython-37m-x86_64-linux-gnu.so)

You guessed it, so I build and compiled glibc-2.15 too, and then it gives again the first error.

What I don't understand is that seemingly it's not using these glibc versions:

objdump -T /tmp/log4j-finder

/tmp/log4j-finder:     file format elf64-x86-64

DYNAMIC SYMBOL TABLE:
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __strcat_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 getenv
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __snprintf_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 raise
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 free
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __vfprintf_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 unlink
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strncpy
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strncmp
0000000000000000  w   D  *UND*  0000000000000000              _ITM_deregisterTMCloneTable
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strcpy
0000000000000000      DF *UND*  0000000000000000              inflate
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 mkdir
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 ferror
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fread
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 mbstowcs
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 setenv
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 getpid
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fclose
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 opendir
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 stpcpy
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 rmdir
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strlen
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 setbuf
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strchr
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 dirname
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 memset
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strnlen
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strncat
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.4   __realpath_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 closedir
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 __strdup
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 __libc_start_main
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 wcsncpy
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 calloc
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strcmp
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 signal
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 ftell
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 feof
0000000000000000  w   D  *UND*  0000000000000000              __gmon_start__
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 clearerr
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3   realpath
0000000000000000      DF *UND*  0000000000000000              inflateEnd
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 kill
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 __xpg_basename
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fileno
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __stpcpy_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 __xstat
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 readdir
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 dlopen
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 malloc
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fflush
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 nl_langinfo
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fseek
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __vsnprintf_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __strncpy_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __strcpy_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 mkdtemp
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 setlocale
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fchmod
0000000000000000      DF *UND*  0000000000000000              inflateInit_
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 waitpid
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fopen
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 perror
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strtok
0000000000000000  w   D  *UND*  0000000000000000              _Jv_RegisterClasses
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 unsetenv
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 execvp
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 strcat
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fwrite
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __fprintf_chk
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.3.4 __strncat_chk
0000000000000000  w   D  *UND*  0000000000000000              _ITM_registerTMCloneTable
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 dlsym
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 fork
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 dlerror
0000000000607a40 g    DO .bss   0000000000000008  GLIBC_2.2.5 stdout
0000000000607a48 g    DO .bss   0000000000000008  GLIBC_2.2.5 stdin
0000000000607a50 g    DO .bss   0000000000000008  GLIBC_2.2.5 stderr

Could you compile the binary also for older versions of glibc, like 2.12? Or perhaps there's some option that does something dynamic, I'm no expert.