ajinabraham
commented
6 years ago This is intended. We do strict extension and mime type checks.
Closed reox closed 6 years ago
ajinabraham
commented
6 years ago This is intended. We do strict extension and mime type checks.
reox
commented
6 years ago okay but your mime checks seems to be not working. I just uploaded some random file called foo.apk and everything crashes. If APK files would be detected properly, you would not get crazy errors if non APK files are uploaded and you would be able to detect APKs even if they are called differently.
[INFO] Unzipping
[2018-04-26 12:22:56]
[ERROR] Unzipping Error (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/shared_func.py, LINE 75 "with zipfile.ZipFile(app_path, "r") as zipptr:"): File is not a zip file
[INFO] Using the Default OS Unzip Utility.
[2018-04-26 12:22:56]
[ERROR] Unzipping Error (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/shared_func.py, LINE 92 "['unzip', '-o', '-q', app_path, '-d', ext_path])"): [Errno 2] No such file or directory: 'unzip': 'unzip'
[INFO] Getting Hardcoded Certificates/Keystores
[2018-04-26 12:22:56]
[ERROR] Getting Hardcoded Certificates/Keystores (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/cert_analysis.py, LINE 23 "for file_name in files:"): 'NoneType' object is not iterable
[INFO] APK Extracted
[INFO] Converting AXML to XML
Exception in thread "main" brut.androlib.AndrolibException: brut.directory.DirectoryException: java.util.zip.ZipException: error in opening zip file
at brut.androlib.ApkDecoder.hasResources(ApkDecoder.java:307)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:103)
at brut.apktool.Main.cmdDecode(Main.java:164)
at brut.apktool.Main.main(Main.java:73)
Caused by: brut.directory.DirectoryException: java.util.zip.ZipException: error in opening zip file
at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:55)
at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:38)
at brut.directory.ExtFile.getDirectory(ExtFile.java:52)
at brut.androlib.ApkDecoder.hasResources(ApkDecoder.java:305)
... 3 more
Caused by: java.util.zip.ZipException: error in opening zip file
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(ZipFile.java:225)
at java.util.zip.ZipFile.<init>(ZipFile.java:155)
at java.util.zip.ZipFile.<init>(ZipFile.java:169)
at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:53)
... 6 more
[2018-04-26 12:22:56]
[ERROR]Getting Manifest file (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/manifest_analysis.py, LINE 1304 "subprocess.check_output(args)"): Command '['/usr/bin/java', '-jar', '/root/Mobile-Security-Framework-MobSF/
StaticAnalyzer/tools/apktool_2.3.2.jar', '--match-original', '-f', '-s', 'd', '/root/.MobSF/uploads/b2c288ce87ab42f496e1670ebff72ec2/b2c288ce87ab42f496e1670ebff72ec2.apk', '-o', '/root/.MobSF/uploads/b2c288ce87ab42f496e1670ebff72ec2/apkt
ool_out']' returned non-zero exit status 1.
[2018-04-26 12:22:56]
[ERROR] Reading Manifest file (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/manifest_analysis.py, LINE 1259 "if isFileExists(manifest):"): stat: path should be string, bytes, os.PathLike or integer, not NoneType
[INFO] Parsing AndroidManifest.xml
[2018-04-26 12:22:56]
[ERROR] apktool failed to extract AndroidManifest.xml or parsing failed (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/manifest_analysis.py, LINE 28 "manifest = minidom.parseString(dat)"): a bytes-like object is requ
ired, not 'NoneType'
[WARNING] Using Fake XML to continue the Analysis
[INFO] Extracting Manifest Data
[INFO] Manifest Analysis Started
[INFO] Static Android Binary Analysis Started
[INFO] Static Android Resourse Analysis Started
[INFO] Reading Code Signing Certificate
[2018-04-26 12:22:56]
[ERROR] Reading Code Signing Certificate (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/cert_analysis.py, LINE 49 "cert) if os.path.isfile(os.path.join(cert, f))]"): [Errno 2] No such file or directory: '/root/.MobSF
/uploads/b2c288ce87ab42f496e1670ebff72ec2/META-INF/'
[INFO] APKiD - Package does not contains classes.dex file!
[INFO] DEX -> JAR
[INFO] Using JAR converter - dex2jar
[INFO] DEX -> SMALI
[INFO] JAR -> JAVA
[INFO] Static Android Code Analysis Started
[INFO] Code Analysis Started on - /root/.MobSF/uploads/b2c288ce87ab42f496e1670ebff72ec2/java_source/
[INFO] Performing Malware Check on extracted Domains
[INFO] Finished Code Analysis, Email and URL Extraction
[INFO] Generating Java and Smali Downloads
[INFO] Generating Downloads
[INFO] Zipping
[INFO] Zipping
[INFO] Extracting Strings from APK
[2018-04-26 12:22:56]
[ERROR] Extracting Strings from APK (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/strings.py, LINE 22 "and_a = apk.APK(apk_file)"): File is not a zip file
[INFO] Connecting to Database
[INFO] Saving to Database
[2018-04-26 12:22:56]
[ERROR] Saving to DB (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/db_interaction.py, LINE 218 "CERT_INFO=cert_dic['cert_info'],"): 'NoneType' object is not subscriptable
[2018-04-26 12:22:56]
[ERROR] Rendering to Template (/root/Mobile-Security-Framework-MobSF/StaticAnalyzer/views/android/db_interaction.py, LINE 105 "'certinfo': cert_dic['cert_info'],"): 'NoneType' object is not subscriptable
[ERROR] 'NoneType' object does not support item assignmentThis happens probably because the file uploded has a binary/octet-stream mime type.
We allow file uploads with all the following mime-types: https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/master/MobSF/settings.py#L107-L130
and extensions like apk, appx, zip, and ipa
Using MobSF v1.0 Beta, from the Docker image.
When uploading APKs, I not have the files named *.apk quite often, as those files are downloaded from various sources or from databases, where the name is simply the hash of the file. In this case the upload is rejected, as only the extension is checked.
It would be nice to be able to upload files with any extension and still get the correct analysis.