search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

InvalidStringData: strings in documents must be valid UTF-8 #2585

Open IceM4nn opened 5 years ago

IceM4nn commented 5 years ago
My issue is:

Failed to run the reporting module: MongoDB. Improper encoding.

My Cuckoo version and operating system are:

Cuckoo version 2.0.6 Host: Ubuntu 18.04 x64 Guest: Ubuntu 18.04 x64

This can be reproduced by:

I generate a binary by using msfvenom to execute ping command (don't ask why msfvenom)

$ msfvenom -p linux/x64/exec -a x64 -f elf --platform linux -o ping_test2 CMD="ping 8.8.8.8 -c 3" -e x64/xor_dynamic -b '\x00'

The IP 8.8.8.8 is alive and reachable. The guest sandbox can ping to the IP from its terminal. This issue is cause by improper encoding.

Note: I've also try with ping google.com -c 3 at first it show the same error, but after that I pip install --upgrade pymongo this fix this issue. but with ping 8.8.8.8 -c 3 it gets the error back.

Submitting the binary to https://linux.huntingmalware.com also gives the same error and causes the report cannot be generated. Link https://linux.huntingmalware.com/analysis/16631/summary/ (the report is not there due to pymongo having the same error (assuming) as the log below)

The log, error, files etc can be found at:

cuckoo.log

2018-12-27 15:29:26,504 [cuckoo.core.scheduler] DEBUG: Processing task #52
2018-12-27 15:29:26,517 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "ping_test2" (task #52, options "procmemdump=yes,route=none")
2018-12-27 15:29:26,555 [cuckoo.core.scheduler] INFO: Task #52: acquired machine cuckoo1 (label=cuckoo1)
2018-12-27 15:29:26,564 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 4186 (interface=vboxnet0, host=192.168.56.101)
2018-12-27 15:29:26,565 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-12-27 15:29:26,592 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo1
2018-12-27 15:29:26,916 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to new
2018-12-27 15:29:37,736 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101)
2018-12-27 15:29:38,741 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-12-27 15:29:39,746 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-12-27 15:29:40,750 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-12-27 15:29:44,176 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo1, ip=192.168.56.101)
2018-12-27 15:29:44,583 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=30538)
2018-12-27 15:29:46,984 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:47,768 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-12-27 15:29:47,994 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:49,010 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:50,023 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:51,032 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:52,045 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:53,060 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:54,071 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:55,088 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:56,097 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:57,106 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:58,116 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:29:59,148 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:00,159 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:01,171 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:02,185 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:03,193 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:04,205 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:05,215 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-12-27 15:30:05,652 [cuckoo.core.resultserver] DEBUG: File upload request for logs/all.stap
2018-12-27 15:30:05,722 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 24588
2018-12-27 15:30:06,221 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully
2018-12-27 15:30:06,259 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2018-12-27 15:30:06,260 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo1
2018-12-27 15:30:07,542 [cuckoo.core.scheduler] DEBUG: Released database task #52
2018-12-27 15:30:07,591 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #52
2018-12-27 15:30:07,629 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #52
2018-12-27 15:30:07,630 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #52
2018-12-27 15:30:07,630 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #52
2018-12-27 15:30:07,631 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #52
2018-12-27 15:30:07,632 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #52
2018-12-27 15:30:07,632 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #52
2018-12-27 15:30:07,632 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #52
2018-12-27 15:30:07,635 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #52
2018-12-27 15:30:07,636 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #52
2018-12-27 15:30:07,638 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #52
2018-12-27 15:30:07,642 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #52
2018-12-27 15:30:07,643 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #52
2018-12-27 15:30:07,643 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #52
2018-12-27 15:30:07,655 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #52
2018-12-27 15:30:07,657 [cuckoo.core.plugins] DEBUG: Running 29 signatures
2018-12-27 15:30:07,751 [cuckoo.core.plugins] DEBUG: Analysis matched signature: network_icmp
2018-12-27 15:30:07,752 [cuckoo.core.plugins] DEBUG: Analysis matched signature: nolookup_communication
2018-12-27 15:30:07,874 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2018-12-27 15:30:08,012 [cuckoo.core.plugins] ERROR: Failed to run the reporting module: MongoDB
Traceback (most recent call last):
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 623, in process
    current.run(self.results)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/cuckoo/reporting/mongodb.py", line 236, in run
    chunk_id = self.db.calls.insert(to_insert)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/collection.py", line 3161, in insert
    check_keys, manipulate, write_concern)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/collection.py", line 607, in _insert
    bypass_doc_val, session)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/collection.py", line 595, in _insert_one
    acknowledged, _insert_command, session)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/mongo_client.py", line 1248, in _retryable_write
    return self._retry_with_session(retryable, func, s, None)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/mongo_client.py", line 1201, in _retry_with_session
    return func(session, sock_info, retryable)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/collection.py", line 590, in _insert_command
    retryable_write=retryable_write)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/pool.py", line 584, in command
    self._raise_connection_failure(error)
  File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/pymongo/pool.py", line 745, in _raise_connection_failure
    raise error
InvalidStringData: strings in documents must be valid UTF-8: '\x08\x00)A\n\x85\x00\x01)6%\\\x00\x00\x00\x00\xaa\xd3\x0c\x00\x00\x00'
2018-12-27 15:30:08,017 [cuckoo.core.scheduler] INFO: Task #52: reports generation completed
2018-12-27 15:30:08,026 [cuckoo.core.scheduler] INFO: Task #52: analysis procedure completed

Here is report.json

KillerInstinct commented 5 years ago

Actually, due to unsanitized binary data being passed in as an argument (p1) to ping.exe:

{
    "status": "",
    "raw": "Thu Dec 27 20:29:29 2018.840632 ping@7f29d0ea2da7[2693] sendto(6, \"\\b\\0\\x29A\\n\\205\\0\\001\\x296%\\\\\\0\\0\\0\\0\\252\\323\\f\\0\\0\\0\", 64, 0x0, {AF_INET, 8.8.8.8, 0}, 16) = 64\n",
    "api": "sendto",
    "return_value": "64",
    "instruction_pointer": "7f29d0ea2da7",
    "time": 1545942569.840632,
    "process_name": "ping",
    "pid": 2693,
    "arguments": {
        "p2": "64",
        "p3": "0x0",
        "p0": "6",
        "p1": "\b\u0000)A\n\u0085\u0000\u0001)6%\\\u0000\u0000\u0000\u0000\u00aa\u00d3\f\u0000\u0000\u0000",
        "p4": [
            "AF_INET",
            "8.8.8.8",
            "0"
        ],
        "p5": "16"
    }
}
IceM4nn commented 5 years ago

So how to fix this issue? have you try produce the bug yourself using the method I did above?