search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

Cuckoo web error for some Ms Office files #2747

Open githule opened 5 years ago

githule commented 5 years ago
My issue is:

I have an error on the presubmit request with the Web interface. It seems the the preload module tries to parse the sample. It says that the file is malformed. It possible as it's a malware delivered via encrypted file. Event if cuckoo cannot parse the file, that error must not be blocking. Maybe that can be easily solved by a try except clause.

My Cuckoo version and operating system are:

Debian 9 Cuckoo 2.0.6 Webinterface is run via uwsgi and nginx It uses python venv

This can be reproduced by:

Running some Office Ole files with the web interface. The annomaly can not be reproduced on submit mode for ex via submit command or via the api and then the file opens well with Office inside the sandbox.

The log, error, files etc can be found at:
[pid: 15588|app: 0|req: 12/45] <Some IP Address> () {46 vars in 1315 bytes} [Mon Jun  3 14:29:33 2019] GET /submit/pre/1224/ => generated 14954 bytes in 15 msecs (HTTP/1.1 200) 9 headers in 252 bytes (1 switches on core 0)                                                                                                                                                            │
Internal Server Error: /submit/api/filetree/                                                                                                                                                                                                                                                                                                                                           │
Traceback (most recent call last):                                                                                                                                                                                                                                                                                                                                                     │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/Django-1.8.4-py2.7.egg/django/core/handlers/base.py", line 132, in get_response                                                                                                                                                                                                                        │
    response = wrapped_callback(request, *callback_args, **callback_kwargs)                                                                                                                                                                                                                                                                                                            │
  File "/<Some Path>/src/cuckoo/cuckoo/web/utils.py", line 47, in inner                                                                                                                                                                                                                                                                                                           │
    return func(request, *args, **kwargs)                                                                                                                                                                                                                                                                                                                                              │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/Django-1.8.4-py2.7.egg/django/views/decorators/csrf.py", line 58, in wrapped_view                                                                                                                                                                                                                      │
    return view_func(*args, **kwargs)                                                                                                                                                                                                                                                                                                                                                  │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/Django-1.8.4-py2.7.egg/django/views/decorators/http.py", line 45, in inner                                                                                                                                                                                                                             │
    return func(request, *args, **kwargs)                                                                                                                                                                                                                                                                                                                                              │
  File "/<Some Path>/src/cuckoo/cuckoo/web/controllers/submission/api.py", line 91, in get_files                                                                                                                                                                                                                                                                                  │
    astree=astree                                                                                                                                                                                                                                                                                                                                                                      │
  File "/<Some Path>/src/cuckoo/cuckoo/core/submit.py", line 165, in get_files                                                                                                                                                                                                                                                                                                    │
    duplicates=duplicates                                                                                                                                                                                                                                                                                                                                                              │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/main.py", line 67, in unpack                                                                                                                                                                                                                                             │
    Unpacker.single(f, password, duplicates)                                                                                                                                                                                                                                                                                                                                           │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/abstracts.py", line 102, in single                                                                                                                                                                                                                                       │
    return Unpacker(None).process([f], duplicates, password)                                                                                                                                                                                                                                                                                                                           │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/abstracts.py", line 81, in process                                                                                                                                                                                                                                       │
    f.children = plugin.unpack(password, duplicates)                                                                                                                                                                                                                                                                                                                                   │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/unpack/office.py", line 27, in unpack                                                                                                                                                                                                                                    │
    f = self.bruteforce(password)                                                                                                                                                                                                                                                                                                                                                      │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/abstracts.py", line 139, in bruteforce                                                                                                                                                                                                                                   │
    value = self.decrypt(password, *args, **kwargs)                                                                                                                                                                                                                                                                                                                                    │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/unpack/office.py", line 19, in decrypt                                                                                                                                                                                                                                   │
    return plugins["office"](self.f, password).decode()                                                                                                                                                                                                                                                                                                                                │
  File "/<Some Path>/venvs/cuckoo-custom/local/lib/python2.7/site-packages/SFlock-0.3.5-py2.7.egg/sflock/decode/office.py", line 142, in decode                                                                                                                                                                                                                                   │
    self.f.ole.openstream("EncryptionInfo").read()[8:]                                                                                                                                                                                                                                                                                                                                 │
  File "/usr/lib/python2.7/xml/dom/minidom.py", line 1928, in parseString                                                                                                                                                                                                                                                                                                              │
    return expatbuilder.parseString(string)                                                                                                                                                                                                                                                                                                                                            │
  File "/usr/lib/python2.7/xml/dom/expatbuilder.py", line 940, in parseString                                                                                                                                                                                                                                                                                                          │
    return builder.parseString(string)                                                                                                                                                                                                                                                                                                                                                 │
  File "/usr/lib/python2.7/xml/dom/expatbuilder.py", line 223, in parseString                                                                                                                                                                                                                                                                                                          │
    parser.Parse(string, True)                                                                                                                                                                                                                                                                                                                                                         │
ExpatError: not well-formed (invalid token): line 1, column 0                                                                                                                                                                                                                                                                                                                          │
[pid: 15588|app: 0|req: 13/46] <Some IP Address> () {52 vars in 1389 bytes} [Mon Jun  3 14:29:33 2019] POST /submit/api/filetree/ => generated 24051 bytes in 35 msecs (HTTP/1.1 500) 9 headers in 257 bytes (1 switches on core 0)
githule commented 5 years ago

As a temporary workaround I added this error handling :

Import error type :

from xml.parsers.expat import ExpatError

Modify function get_files

                try:
                    unpacked = sflock.unpack(
                        filepath=filepath, password=password,
                        duplicates=duplicates
                    )
                    if astree:
                        unpacked = unpacked.astree(sanitize=True)

                    files.append(unpacked)
                except ExpatError as e :
                    """ExpatError Handling : Submit the file as it is"""
                    files.append({
                        "filename": filename,
                        "filepath": filepath,
                        "relapath": "",
                        "selected": True,
                        "size": 0,
                        "type": "file",
                        "package": "generic",
                        "extrpath": [],
                        "duplicate": False,
                        "children": [],
                        "mime": "unknown",
                        "finger": {
                            "magic_human": "unknown",
                            "magic": "unknown"
                        }
                    })