Cas van Cooten · Dec 10, 2021 · 4:19 PM UTC

Cas van Cooten

Cas van Cooten @chvancooten

10 Dec 2021

A story in three parts 😶 #log4j

1,199

238

4,266

Jester · Dec 10, 2021 · 4:31 PM UTC

Jester @Jester0x01

10 Dec 2021

Welcome to dup gang :')

Cas van Cooten · Dec 10, 2021 · 4:35 PM UTC

Cas van Cooten · Dec 10, 2021 · 4:35 PM UTC

Cas van Cooten @chvancooten

10 Dec 2021

Replying to @Jester0x01

Haha I'm not in it for bounties in this case, was primarily curious to see how deep this issue goes and what funky ways we can use to trigger it. I'm sure Apple is already painfully aware of their exposure, hopefully they can fix it soon!

Dec 10, 2021 · 4:35 PM UTC · Twitter Web App

Jester · Dec 10, 2021 · 4:37 PM UTC

Jester @Jester0x01

10 Dec 2021

Replying to @chvancooten

Yeah, someone posted another apple poc yesterday but it is still not fixed.

Noel Hibbard · Dec 11, 2021 · 7:38 PM UTC

Noel Hibbard @noelhibbard

11 Dec 2021

Replying to @chvancooten @Jester0x01

Getting a dns query out of Apple doesn’t mean the exploit actually worked or that it was even log4j that inisiated the query. The only reliable test would be to put a real ldap server in your string. I’m sure you know all this, just putting it out for others who are reading.