[Bug 260770] libc resolver does not validate domain names

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 29 Dec 2021 01:24:29 UTC

--- Comment #1 from Ed Maste <emaste@freebsd.org> ---

> FIX: Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks
> in Log4J 2.15.0. to achieve RCE: ${jndi:ldap://}
> and to bypass allowedClasses just choose a name for a class in the JDK.
> Deserialization will occur as usual. #Log4Shell 1/n

> In my tests, this doesn’t work on Windows and Linux. It does works in MacOS and
> FreeBSD.
> # is not a valid for DNS but *some* resolver might query names with # in it.
> TBC for this to work the vulnerable application must run on freeBSD or MacOS
> and actor must control a DNS domain.

You are receiving this mail because:
You are the assignee for the bug.