Black Hat USA: Log4j de-obfuscator Ox4Shell ‘dramatically’ cuts analysis time

In the recent Black Hat USA conference, Log4Shell, a de-obfuscation tool that promises simple, rapid analysis of payloads without “critical side effects,” was showcased.

Daniel Abeles and Ron Vider of Oxeye, an AppSec testing platform, demonstrated the open-source ‘Ox4Shell’ utility yesterday (August 10).

‘True intent’

The tool offers a potent combination of lacking benefits among other De-obfuscators of Apache Log4j, which is so widely used that hundreds of millions of devices are affected by the ‘Log4Shell’ flaw (CVE-2021-44228).

“In advance of his presentation, he told The Daily Swig: “I was on a web application firewall for several years, so I can personally relate to the challenge of figuring out the true intent of obfuscated payloads.”

Ox4Shell is a simple Python script that’s easy to use but does not require the user to run any vulnerable code as part of its use.

“We emulated most of the transformations that Java code would perform in parallel without running vulnerable Java code,” Abeles said. Also, this importance is especially evident when integrating such tools into a production pipeline (e.g., WAF rules).

Maximizing accuracy

In response to obfuscated payloads that are “intimidating” and “time-consuming” even for the most experienced security engineers, Oxeye set out “to provide the security community with a lean, simple way to de-obfuscate Log4Shell payloads.”

Abelis said the needs of AppSec engineers determined the tool’s specification. At the same time, the scarcity of public obfuscated payloads for testing prompted them to “work closely with several applications security teams to ensure minimal false positives and false negatives.”.”

The culmination of this process was Ox4Shell’s release in January 2022.

It Defends threat actors circumventing WAF rules and complicating exploit analysis by decoding obfuscated payloads, including base64 commands, into intuitive, readable form – revealing their “true functionality” and drastically reducing the time security teams spend analyzing them.

Mock data

Oxeye says Ox4Shell allows defenders to comply with lookup functions attackers can abuse via Log4Shell to identify target machines by feeding them mock data that they can manipulate.

A mock.json file is used to insert common values into lookup functions. However, if the payload contains the value ${env: HOME}, we can replace it with a custom mock value,” reads the Ox4Shell GitHub page.

The ‘lookup mocking’ feature allows users to replace specific data lookups with mocked data so that the final result is more realistic and more appropriate for the organization using it.

There is concern that vulnerable Log4j instances may persist for “a decade or longer,” according to a recent US government report. With Ox4Shell expected to remain valid for some time, Oxeye plans to add even more mock lookup functions based on feedback from the community.

Share This Post

Facebook
Twitter
LinkedIn
Pinterest
Reddit

You May Also Like

Picture of Robert Lemmons
Robert Lemmons
Robert Lemmons is an IT professional who has spent his last few years in the cybersecurity field. He enjoys reading science fiction novels, especially by Isaac Asimov, and recently took up the task of writing a science fiction novel of his own.

Hire a Professional Hacker Today!

Advertisement Form

About Us

About Us

Do you want to hire a hacker? Hireahackeronline.co is the internet's number 1 Hacker for Hire information center. You will get all the right information you need to guide you in making the right decision on how to hire a hacker. Get answers to questions like, how can I hire hacker? How can I find a hacker? And all you need to know about hiring a hacking service.

Get in Touch with Us

Don’t Miss Our News!

Subscribe to Hireahackeronline Newsletter and Get All Topical Information