Since the Log4j vulnerability discovery a few weeks ago, many Oxeye customers have experienced unauthorized attempts to probe their apps for Log4Shell instances. Some probes employed obfuscated payloads.
Threat actors tend to apply obfuscation techniques to their payloads for several reasons. Most security protection tools, such as web application firewalls (WAFs), rely on rules to match malicious patterns. By using obfuscated payloads, threat actors are able to circumvent the rules logic and bypass security measures. Moreover, obfuscated payloads increase analysis complexity and, depending upon the degree of obfuscation, can also prevent them from being reverse-engineered.
Decoding and analyzing obfuscated payloads is time-consuming and often results in inaccurate data. However, doing so is crucial for understanding attackers’ intentions.
To help our customers and the AppSec community at large, Oxeye developed an effective, free tool that deobfuscates Log4Shell payloads.
The Log4Shell vulnerability relies on providing user-controlled inputs to a Log4j logging function. For example, when the function encounters specific unique values such as ${variable1}, the vulnerable program tries to look up the variable in the current thread context. During our research, we sought to address the most popular functions—those that can assist threat actors in masquerading their malicious intent by using hard-to-analyze payloads.
Consider the following payload taken from a recently published Log4Shell payload obfuscation tool:
Human eyes seeing such a payload likely won’t understand its true functionality. But by using Ox4Shell, the obscured payload is transformed into a more meaningful form. Thus, you’re provided with a clear understanding of what a threat actor has been trying to achieve. Revisiting the above example, Ox4Shell reveals what the payload is actually doing:
The Log4j library has a few unique lookup functions that permit users to look up environment variables, Java process runtime information, and so forth. These enable threat actors to probe for specific information that can uniquely identify a compromised machine they’ve targeted.
For example, the following payload demonstrates how miscreants are able to embed the variables within payloads to extract environment variables. Here the AWS_PROFILE environment variable, used on machines interacting with the Amazon Web Services API, is incorporated into the payload:
Ox4Shell enables you to comply with such lookup functions by feeding them mock data that you control. The data is handled via mock.json, a JSON file that contains special values you can incorporate within the deobfuscated payloads. Running Ox4Shell on the previous payload yields the following:
With the rise of opensource scanning tools for Log4Shell, we are seeing an increase in exploitation attempts. We believe that security teams around the world can benefit from using Ox4Shell to dramatically reduce their analysis time. We hope you will find it useful, and we welcome any kind of feedback or additional feature requests.
