In the recent Black Hat USA conference, Log4Shell, a de-obfuscation tool that promises simple, rapid analysis of payloads without “critical side effects,” was showcased.
Daniel Abeles and Ron Vider of Oxeye, an AppSec testing platform, demonstrated the open-source ‘Ox4Shell’ utility yesterday (August 10).
‘True intent’
The tool offers a potent combination of lacking benefits among other De-obfuscators of Apache Log4j, which is so widely used that hundreds of millions of devices are affected by the ‘Log4Shell’ flaw (CVE-2021-44228).
“In advance of his presentation, he told The Daily Swig: “I was on a web application firewall for several years, so I can personally relate to the challenge of figuring out the true intent of obfuscated payloads.”
Ox4Shell is a simple Python script that’s easy to use but does not require the user to run any vulnerable code as part of its use.
“We emulated most of the transformations that Java code would perform in parallel without running vulnerable Java code,” Abeles said. Also, this importance is especially evident when integrating such tools into a production pipeline (e.g., WAF rules).
Maximizing accuracy
In response to obfuscated payloads that are “intimidating” and “time-consuming” even for the most experienced security engineers, Oxeye set out “to provide the security community with a lean, simple way to de-obfuscate Log4Shell payloads.”
Abelis said the needs of AppSec engineers determined the tool’s specification. At the same time, the scarcity of public obfuscated payloads for testing prompted them to “work closely with several applications security teams to ensure minimal false positives and false negatives.”.”
The culmination of this process was Ox4Shell’s release in January 2022.
It Defends threat actors circumventing WAF rules and complicating exploit analysis by decoding obfuscated payloads, including base64 commands, into intuitive, readable form – revealing their “true functionality” and drastically reducing the time security teams spend analyzing them.
Mock data
Oxeye says Ox4Shell allows defenders to comply with lookup functions attackers can abuse via Log4Shell to identify target machines by feeding them mock data that they can manipulate.
A mock.json file is used to insert common values into lookup functions. However, if the payload contains the value ${env: HOME}, we can replace it with a custom mock value,” reads the Ox4Shell GitHub page.
The ‘lookup mocking’ feature allows users to replace specific data lookups with mocked data so that the final result is more realistic and more appropriate for the organization using it.
There is concern that vulnerable Log4j instances may persist for “a decade or longer,” according to a recent US government report. With Ox4Shell expected to remain valid for some time, Oxeye plans to add even more mock lookup functions based on feedback from the community.
