Monday, December 20, 2021

Btrace - Tracing JndiLookups - Log4jShell Exploitation Attempts

 BTrace is a safe, dynamic tracing tool for the Java platform.BTrace can be used to dynamically trace a running Java program. BTrace dynamically instruments the classes of the target application to inject tracing code ("bytecode tracing").

BTrace can be used to define trace points that the user is interested to track and when the trace point is reached the user can perform their tasks of interest - such as printing arguments, stack trace etc. 

BTrace can be used to trigger in one of the following scenarios,

  • OnMethod
  • OnTimer
  • OnError 
  • OnExit 
  • OnEvent 
  • OnLowMemory
  • OnProbe
  •  OnMethod is what we will be using. BTrace can be used to trace specific method in specific class making it an ideal tool to trace specific functions of interest instead of debugging the Java code.

    The class that we are interested to track is org.apache.logging.log4j.core.lookup.JndiLookup and the method is lookup. Using this information we can create the probe file that can be fed to BTrace tool. The probe will have the action to perform once the trace point is hit. Lets create a probe file that will print out the arguments passed to the lookup function. Looking up the definition of lookup function we can understand that argument 2 holds the information about JNDI resource name.

    public String lookup(LogEvent event, String key)


    event - The current LogEvent (is ignored by this StrLookup).

    key - the JNDI resource name to be looked up, may be null


    The String value of the JNDI resource.

    The above code will set the function lookup as trace point and prints the arguments passed to the function. The probe can be run using BTrace like - btrace -v -o <output log> <pid> <path to probe>. The below video shows BTrace's live action. 

    No comments:

    Post a Comment