Forum Discussion
Overview of Callbacks in Log4j Remote Detection Plugins The...
Overview of Callbacks in Log4j Remote Detection Plugins
The following is an overview of callbacks in Tenable plugins for Log4Shell that perform remote detection 155998, 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669.
A HTTP request is sent by the scanner to the target being scanned with a benign payload containing a unique token. The target, if vulnerable, will act on the payload. Tenable tracks the target’s action on the payload via a callback to our hosted environment (plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166,156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669) based on the unique token that was embedded in the initial request or via the LDAP connection callback to the scanner for plugin 155998.
The callback is needed given the nature of the vulnerability as execution of the payload happens on the target being scanned.
In plugin 155998, the callback happens to the scanner. This is the reason the plugin is not supported on Tenable.io cloud scanners
In plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669 as part of execution of the payload, the target tries to resolve a domain owned by Tenable. While resolving the domain, Tenable is able to see the unique token that was sent in the initial request and thereby can track the callback.
These plugins come with the major benefit that credentials are not required for scanning. However, the callbacks need to be successful for the plugin to be able to identify the exposure. Hence, communication between the target being scanned and the callback server must not be interrupted by intermediary devices.
For more details:
13 Replies
Perfect work, thank you!
Would it be possible to know the Tenable domain used by the plugin 156014? It would help investigating the logs and possibly using a synchole internally.
Thank you in advance
How can i scan my public IPs with this plugin? Obviously my scanner has a firewall, so the callbacks will be rejected. Is there a port a can open or something like this to make it work?
I have the same question re: the DNS domain.
I third the dns question. Knowing the domain(s) that will be tried will be of great benefit to ensure plugin functionality.
I'm looking in my firewall logs, and the only services being tested are http and https. Is there a way to configure scans for other services? Asking for a friend.
Why are there no responses from Tenable for these questions? If they aren't valid question, please explain.
I agree, can you please provide us with the information we need so we can put rules into our firewalls to allow Nessus' scans to do their job??
