search

scVENUS / PeekabooAV

Peekaboo Extended Email Attachment Behavior Observation Owl
https://peekabooav.de
GNU General Public License v3.0
66 stars 20 forks source link

Another peepdf traceback in cuckoo #167

Closed michaelweiser closed 4 years ago

michaelweiser commented 4 years ago

We have found another sample that triggers a peepdf traceback in cuckoo even with our fixes from jbremer/peepdf#9:

020-06-11 15:31:12,666 [cuckoo.apps.apps] INFO: Task #275: reporting task
Process Process-19:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/misc.py", line 152, in _worker
    conn.send(func(*args, **kwargs))
  File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/processing/static.py", line 1029, in _pdf_worker
    return PdfDocument(filepath).run()
  File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/processing/static.py", line 691, in run
    looseMode=True, manualAnalysis=False
  File "/opt/cuckoo/local/lib/python2.7/site-packages/peepdf/PDFCore.py", line 7082, in parse
    ret = body.registerObject(pdfIndirectObject)
  File "/opt/cuckoo/local/lib/python2.7/site-packages/peepdf/PDFCore.py", line 4191, in registerObject
    pdfObject.setCompressedObjectId(id)
  File "/opt/cuckoo/local/lib/python2.7/site-packages/peepdf/PDFCore.py", line 3288, in setCompressedObjectId
    object.setCompressedIn(id)
AttributeError: 'NoneType' object has no attribute 'setCompressedIn'

It seems to be a different code path. This needs analysis and fixing in peepdf and perhaps a rethink if we can and should somehow manage to make these exceptions non-fatal for the cuckoo analysis altogether.

michaelweiser commented 4 years ago

These kinds of backtraces are all follow-up errors to underlying errors masked by cuckoo running peepdf in sloppy mode. This cannot be changed through configuration.

This particular one and its colleagues should be fixed by scVENUS/peepdf#1, also reported upstream at jbremer/peepdf#9.

Research in cuckoo by @Jack28 reveals that static analysis can be disabled completely but not selectively for only peepdf. So it's an all or nothing workaround. To make this more granular, the cuckoo code needs to be patched.

Closing this for now as nothing-we-can-do/invalid/wontfix. Anyone feel free to reopen with suggestions how we could improve upon this from the outside.