From a10ce4d1e112805b6dd1a00141ed64266d0152e7 Mon Sep 17 00:00:00 2001
From: Hilko Bengen <bengen@hilluzination.de>
Date: Mon, 13 Dec 2021 22:08:00 +0100
Subject: [PATCH] Add string-based indicator

Idea taken from <https://github.com/mergebase/log4j-detector>
---
 log4j-vuln-finder.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/log4j-vuln-finder.go b/log4j-vuln-finder.go
index 776fd54..5014699 100644
--- a/log4j-vuln-finder.go
+++ b/log4j-vuln-finder.go
@@ -96,6 +96,18 @@ func handleJar(path string, ra io.ReaderAt, sz int64) {
 			sum := hex.EncodeToString(hasher.Sum(nil))
 			if desc, ok := vulnVersions[sum]; ok {
 				fmt.Printf("indicator for vulnerable component found in %s (%s): %s\n", path, file.Name, desc)
+				continue
+			}
+			if strings.ToLower(filepath.Base(file.Name)) == "jndimanager.class" {
+				buf := make([]byte, sz)
+				if _, err := ra.ReadAt(buf, 0); err != nil {
+					fmt.Printf("can't read JAR file member: %s (%s): %v\n", path, file.Name, err)
+					continue
+				}
+				if !bytes.Contains(buf, []byte("Invalid JNDI URI - {}")) {
+					fmt.Printf("indicator for vulnerable component found in %s (%s): %s\n",
+						path, file.Name, "JndiManager class missing new error message string literal")
+				}
 			}
 		case ".jar", ".war", ".ear":
 			fr, err := file.Open()