Closed AndrewFasano closed 5 months ago
The root cause of this issue is that a valid chunk is identified by the DMG handler, which is probably a false positive. I doubt a DMG file would be in a router firmware.
I'll look into it and keep you posted.
There's indeed a DMG file within the firmware, called h264plugin.dmg
. The root cause is that two handlers (bzip2
, dmg
) rightfully identify overlapping content in a UDBZ
dmg file.
More information about dmg disks can be found at https://disktype.sourceforge.net/doc/ch03s13.html
I think the bzip2
handler should check if the bzip2 compressed stream is followed by an XML plist, indicative of a DMG file.
Another way of fixing this is changing the contains
implementation of our chunks:
diff --git a/unblob/models.py b/unblob/models.py
index 70217c8..935bdba 100644
--- a/unblob/models.py
+++ b/unblob/models.py
@@ -85,7 +85,7 @@ class Chunk(Blob):
def contains(self, other: "Chunk") -> bool:
return (
- self.start_offset < other.start_offset
+ self.start_offset <= other.start_offset
and self.end_offset >= other.end_offset
)
@AndrewFasano will be fixed by https://github.com/onekey-sec/unblob/pull/755
Thanks for the quick fix! I'll give it a try and report back.
The fix seems to work, thanks!
Describe the bug Unblob reports an error
Chunk has higher start_offset than end_offset
with an end_offset value of 0 for at least 58 DLINK firmware images and fails to extract files.To Reproduce Steps to reproduce the behavior:
wget https://legacyfiles.us.dlink.com/DCS-5009L/REVA/FIRMWARE/DCS-5009L_REVA_FIRMWARE_1.00.B1.zip
unblob -v DCS-5009L_REVA_FIRMWARE_1.00.B1.zip
Expected behavior A standard linux-based filesystem should be extracted. If
binwalk
is run on this image it finds a CPIO archive within LZMA compressed data that contains ~700 files.Environment information:
Additional context I found this bug while doing some large-scale evaluations of filesystems produced by binwalk and unblob using fw2tar.