Log4Shell allows remote code execution. Could this be used to patch the vulnerability remotely?-CodePudding

The current log4shell issue (the famous CVE-2021-44228) gives attackers a vector to execute untrusted code on vulnerable, internet-facing machines.

Could this be used to patch the vulnerability, by placing code on the target machines that patches the vulnerable libraries?

Edit: To clarify the question, this is only aimed at the technical question of whether patching running Java code remotely through this shell access vector is possible.

CodePudding user response：

Legally it is a clear no.
As you are still executing code on a system you don't own without authorisation by the owner. Although this would have good intention to prevent bad hackers to attack the system, this way of solving the problem would still be illegal.

Technically, yes.
as you correctly understood, you can get full control on the system executing arbitrary code, including installing a "fix".

Realistically, it depends on how you want to implement the fix and if you find a scaling generic solution to "fix" different configured systems with the same approach.
Updating the library would require to identify the location of the vulnerable file log4j-core.jar and replace it with the fixed version, but then you also need to restart the service using the library, as the vulnerable version might already be loaded in memory. A change of the file on the disk would not be reflected in a running program.
Location of the file and running services will vary from system to system making it harder to implement a generic solution.

The exploit is already 5 days a public reported vulnerability and very easy to exploit. If you haven't patched it already, you might already be exploited. An attacker could already have installed another malicious software that is able to load any execute any new code in the future via remote control and would not require the log4j exploit any more.

If you haven't fixed the log4j vulnerability yet, updating log4j is no longer enough. You have to assume that your system is already compromised by sleeping trojans and you should reset the whole system to get rid of it.

My Suggestion is to not do it. Try to contact the owner of the system, tell them to update and reset the complete system.

CodePudding user response：

There seems to be at least one proof-of-concept level project that attempts to patch the vulnerability in-place, so it is technically feasible: https://github.com/Cybereason/Logout4Shell .

The authors deatail their approach in a blog post, from which it seems that the exploit-fix-combination (which they call a "vaccine") is also an advertisement for their company. Keep that in mind when evaluating it.