Open source utility exposes payloads without running vulnerable Java code

A Log4Shell de-obfuscation tool that promises simple, rapid payload analysis without the risk of “critical side effects” has been showcased at Black Hat USA.

The open source ‘Ox4Shell’ utility was demonstrated on the Arsenal track in Las Vegas yesterday (August 10) by Daniel Abeles and Ron Vider of AppSec testing platform Oxeye.

‘True intent’

Abeles believes the tool offers a potent combination of benefits lacking among other de-obfuscators of the critical vulnerability in Apache Log4j, the Java logging utility so widely distributed that the ‘Log4Shell’ flaw (CVE-2021-44228) affects hundreds of millions of devices.

“I worked on a web application firewall [WAF] myself for several years, so I can personally relate to the struggle of understanding the true intent of obfuscated payloads and the challenge it poses to security teams,” he told The Daily Swig said in advance of his presentation.


RELATED ‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns


The researchers couldn’t find any other tools that were as easy to use as Ox4Shell – a simple Python script – but didn’t require the user to run any vulnerable code in the process.

“We emulated most of the transformations a parallel Java code would do, without the risk of running vulnerable Java code,” Abeles said. “This is especially important when integrating such tools in a production pipeline (e.g. WAF rules), to ensure no critical side effects.”

Maximizing accuracy

With obfuscated payloads “intimidating for most security engineers” and “time-consuming and tedious” for even the most experienced, Oxeye set out “to provide the security community a lean, simple way to de-obfuscate Log4Shell payloads.”

Abeles said the needs of AppSec engineers informed the tool’s specification, while the scarcity “of public obfuscated payloads to test Ox4Shell against” prompted them to “team up with several application security teams to gather a wide variety of payloads, so we can ensure minimum false negatives and false positives rate”.


Catch up on the latest Log4Shell news and analysis


This process culminated with Ox4Shell’s release in January 2022, a month after Log4Shell surfaced.

The tool counters threat actors’ attempts to circumvent WAF rules and complicate exploit analysis, by decoding obfuscated payloads, including base64 commands, “into an intuitive and readable form” – thus revealing their “true functionality” and “dramatically” reducing security teams’ analysis time.

Mock data

Oxeye says Ox4Shell enables defenders to comply with lookup functions that attackers can abuse via Log4Shell to identify targeted machines by feeding them mock data that they can control.

A mock.json file is used to insert common values into lookup functions. “For example, if the payload contains the value ${env:HOME}, we can replace it with a custom mock value,” reads the Ox4Shell GitHub page.

This ‘lookup mocking’ means users can “replace certain data lookups with mocked data, so the final result would look more realistic and well suited to the specific organization using it”, Abeles told The Daily Swig.

A recent US government report warned that vulnerable Log4j instances could persist for “a decade or longer”. With Ox4Shell set to remain useful for some time to come, Oxeye is planning to expand the tool’s capabilities to mock even more lookup functions based on community feedback.


YOU MIGHT ALSO LIKE Black Hat USA: Deliberately vulnerable AWS, Azure cloud infrastructure is a pen tester’s playground