2022-02-01

[public] 8.70K views, 2.35K likes, dislikes audio only

LiveOverflow

After the log4shell (CVE-2021-44228) vulnerability was patched with version 2.15, another CVE was filed. Apparently log4j was still vulnerable in some cases to a denial of service. However it turned out that on some systems, the issue can still lead to a remote code execution. In this video we use the Java fuzzer Jazzer to find a bypass.

Jazzer Java Fuzzer: https://github.com/CodeIntelligenceTesting/jazzer

Anthony Weems: https://twitter.com/amlweems

00:00 - Intro

00:54 - Chapter #1: The New CVE

03:38 - Chapter #2: Disable Lookups

05:43 - Chapter #3: Vulnerable log4j Configs

07:52 - Chapter #4: The Remote Code Execution

10:53 - Chapter #5: Parser Differential

12:57 - Chapter #6: Differential Fuzzing

16:07 - Chapter #7: macOS Only

18:15 - Chapter #8: Increase Impact

19:03 - Summary

19:58 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/

→ Instagram: https://instagram.com/LiveOverflow/

→ Blog: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/