search

VirusTotal / yara-x

A rewrite of YARA in Rust.
https://virustotal.github.io/yara-x/
BSD 3-Clause "New" or "Revised" License
671 stars 51 forks source link

Panic while Scanning Directories w/ Macho Module #141

Closed g-les closed 5 months ago

g-les commented 5 months ago

Hi gang

was testing use of macho module to detect RPaths and would regularly get a Panic when scanning over directories, but no issue on individual files. It looks like panic is coming from https://github.com/VirusTotal/yara-x/blob/main/lib/src/modules/macho/parser.rs#L321

here is the error 

thread '<unnamed>' panicked at lib/src/modules/macho/parser.rs:321:35:
range end index 449752 out of range for slice of length 13052
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Full logs, on yara-x-cli 0.4.0 

$ ./Desktop/yr -V
yara-x-cli 0.4.0

$ ./Desktop/yr scan Desktop/macho.yar MAL_MacOS_WindowServer/abf5c526de4925de9d7a839822e4239dbf3e545a167d4d575957e2fb42f12642 
RPath: /Users/mahmed/myproj/wsclient/mbedtls-extproj-prefix/lib
rpath_miner MAL_MacOS_WindowServer/abf5c526de4925de9d7a839822e4239dbf3e545a167d4d575957e2fb42f12642
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 1 file(s) scanned in 0.1s. 1 file(s) matched.

$ ./Desktop/yr scan Desktop/macho.yar MAL_MacOS_WindowServer/
thread '<unnamed>' panicked at lib/src/modules/macho/parser.rs:321:35:
range end index 449752 out of range for slice of length 13052
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
latonis commented 5 months ago

I'm unsure why it's only present when scanning directories, but the line it's panicking on was fixed a few commits back. This was fixed in https://github.com/VirusTotal/yara-x/commit/48d799dd4f50502237ebd535657a3417e536324f.

image

It just hasn't made it into a new release yet :smile:

plusvic commented 5 months ago

@latonis as you already noticed, the main issue reported here is already fixed, but while investigating I've found another issue.

The program panics at this line: https://github.com/VirusTotal/yara-x/blob/44cb51772f540e6508d08b17d142d69188375d75/lib/src/modules/macho/parser.rs#L980

That's because prefix.to_str().unwrap() is converting a string read from the file to UTF-8, but the string may contain data that is not valid UTF-8.

This issue is reproducible while scanning file: c931a1ded68d7222467726f30144ecd54a9882458ac99275e930136391afce67

By the way, the reason why the panic only occurs while scanning directories is because the file causing the panic is not the reported one, but some other file in the same directory.