October 6, 2022

TheCyberThrone

Thinking Security ! Always

Ox4Shell – Log4Shell De-obfuscator

A Log4Shell de-obfuscation tool dubbed Ox4Shell, promises simple, rapid payload analysis without the risk of critical side effects has been showcased at Black Hat USA.

The tool offers a potent combination of benefits lacking among other de-obfuscators of the critical vulnerability in Apache Log4j, the Java logging utility so widely distributed that the ‘Log4Shell’ flaw (CVE-2021-44228) affects hundreds of millions of devices.

Advertisements

The researchers couldn’t find any other tools that were as easy to use as Ox4Shell – a simple Python script but didn’t require the user to run any vulnerable code in the process.

With obfuscated payloads intimidating, time-consuming and tedious for even the most experienced, Oxeye set out to provide the security community a lean, simple way to de-obfuscate Log4Shell payloads. This process culminated with Ox4Shell’s release in January 2022, a month after Log4Shell surfaced.

The tool counters threat actors attempt to circumvent WAF rules and complicate exploit analysis, by decoding obfuscated payloads, including base64 commands, into an intuitive and readable form that reveals  their true functionality and dramatically reducing security teams’ analysis time.

Ox4Shell enables defenders to comply with lookup functions that attackers can abuse via Log4Shell to identify targeted machines by feeding them mock data that they can control.

Advertisements

A mock.json file is used to insert common values into lookup functions. This means users can replace certain data lookups with mocked data, so the result would look more realistic and well suited to the specific organization using it.

A recent US government report warned that vulnerable Log4j instances could persist for a decade or longer. With Ox4Shell set to remain useful for some time to come, the tool’s capabilities set to be expanded to mock even more lookup functions based on community feedback.

This open source utility was demonstrated by Daniel Abeles and Ron Vider of AppSec testing platform Oxeye.

%d bloggers like this: