@@ -400,17 +400,69 @@ if($EverythingSearch) {
400400 }
401401}
402402Write-Log - Text " Scanning $ ( $arrFiles.Length ) total files for potential vulnerabilities."
403+ # region Ticket T20221228.0055
404+ $MD5_BAD = @ {
405+ # JndiManager.class (source: https://github.com/nccgroup/Cyber-Defence/blob/master/Intelligence/CVE-2021-44228/modified-classes/md5sum.txt)
406+ " 04fdd701809d17465c17c7e603b1b202" = " log4j 2.9.0 - 2.11.2"
407+ " 21f055b62c15453f0d7970a9d994cab7" = " log4j 2.13.0 - 2.13.3"
408+ " 3bd9f41b89ce4fe8ccbf73e43195a5ce" = " log4j 2.6 - 2.6.2"
409+ " 415c13e7c8505fb056d540eac29b72fa" = " log4j 2.7 - 2.8.1"
410+ " 5824711d6c68162eb535cc4dbf7485d3" = " log4j 2.12.0 - 2.12.1"
411+ " 102cac5b7726457244af1f44e54ff468" = " log4j 2.12.2"
412+ " 6b15f42c333ac39abacfeeeb18852a44" = " log4j 2.1 - 2.3"
413+ " 8b2260b1cce64144f6310876f94b1638" = " log4j 2.4 - 2.5"
414+ " a193703904a3f18fb3c90a877eb5c8a7" = " log4j 2.8.2"
415+ " f1d630c48928096a484e4b95ccb162a0" = " log4j 2.14.0 - 2.14.1"
416+ " 5d253e53fa993e122ff012221aa49ec3" = " log4j 2.15.0"
417+ " ba1cf8f81e7b31c709768561ba8ab558" = " log4j 2.16.0"
418+ ' 1B6E6DD47D8084ABDE61CAA28C96B7A3' = " log4j test-reallynotbad"
419+ }
420+
421+ # Known GOOD
422+ $MD5_GOOD = @ {
423+ " 3dc5cf97546007be53b2f3d44028fa58" = " log4j 2.17.0"
424+ " 3c3a43af0930a658716b870e66db1569" = " log4j 2.17.1"
425+ }
403426
404- # scan i: JARs containing vulnerable Log4j code
405427Write-Log - Text " Scanning for JAR files containing potentially insecure Log4j code."
406428$arrFiles | Where-Object {$_ -match ' \.jar$' | ForEach-Object {
407429 Write-Verbose - Message " Running insecure code scan on file '$_ '"
408- if (Select-String - Quiet - Path $_ " JndiLookup.class"
409- Write-Log - Text " ! ALERT: Potentially vulnerable file at $ ( $_ ) !" - Type WARN
410- $script :varDetection = 1
430+
431+ If (! (Test-Path $env: TEMP \extract)) {
432+ New-Item - ItemType Directory - Path $env: TEMP \extract | Out-Null
433+ } else {
434+ remove-item - Path $env: TEMP \extract - Recurse - Force - ErrorAction SilentlyContinue
435+ New-Item - ItemType Directory - Path $env: TEMP \extract | Out-Null
436+ }
437+ [System.Reflection.Assembly ]::LoadWithPartialName(' System.IO.Compression.FileSystem' | Out-Null
438+ [System.IO.Compression.ZipFile ]::ExtractToDirectory($_ , " $env: TEMP \extract" | Out-Null
439+ $Files = Get-ChildItem $env: TEMP \extract - Recurse | Where-Object - Property Name -match ' JNDIManager.class'
440+ If ($Files ) {
441+ foreach ($file in $files ) {
442+ # found a matching jndimanager.class file.
443+ $checksum = (Get-FileHash - Algorithm MD5 - Path $file.FullName ).hash
444+ if ($checksum -in $MD5_BAD.keys ) {
445+ Write-Log - Text " MD5 found in bad list referencing $ ( $MD5_BAD .$checksum ) " - Type WARN
446+ # if it's bad, check for jndilookup.class, it will be two directories up under the lookup directory.
447+ $path = Get-Childitem ($File.PSParentPath ).replace(" \$ ( $file.directory.name ) " , ' '
448+
449+ $script :varDetection = 1
450+ } elseif ($checksum -in $MD5_GOOD.keys ) {
451+ Write-Log - Text " MD5 found in good list referencing $ ( $MD5_BAD .$checksum ) " - Type Log
452+ $script :varDetection = 0
453+ } else {
454+ Write-Log - Text ' MD5 was not found in any list' - Type Log
455+ $script :varDetection = 0
456+ }
457+ }
411458 }
412459}
413460
461+
462+ if (Select-String - Quiet - Path $_ " JndiLookup.class"
463+ Write-Log - Text " ! ALERT: Potentially vulnerable file at $ ( $_ ) !" - Type WARN
464+ }
465+ # endregion
414466if (-not $skipYARA ) {
415467 # scan ii: YARA for logfiles & JARs
416468 Write-Log - Text " Scanning LOGs, TXTs and JARs for common attack strings via YARA scan."
0 commit comments