CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Filter bypass of ZIP files containing ELF files

Open TheMythologist opened this issue 2 years ago • 3 comments

Expected Behavior

Linux is disabled in custom/conf configuration files. When submitting any form of ELF files, the submission will be blocked.

Current Behavior

If a ZIP file containing an ELF file is submitted, the submission will go through. This is because the machine platform is determined before demux_sample_and_add_to_db is called (which will unzip the file and go through the zip file contents).

Location of code logic error: https://github.com/kevoreilly/CAPEv2/blob/30a071c3cd088cf53790afade1b9f22c9f20dc33/lib/cuckoo/common/web_utils.py#L691-L714

A possible fix would be to run get_platform only after demuxing the submitted sample.

TheMythologist avatar May 05 '22 01:05 TheMythologist

interesting, why there is elf(just as curiosity)? could you PR the solution please?

doomedraven avatar May 05 '22 08:05 doomedraven

do you have hash to test?

doomedraven avatar Jun 08 '22 06:06 doomedraven

Nope I have no hash (it works on all zip files with an elf file inside). We were just testing for bugs in the code and we just realised that there is this bug.

TheMythologist avatar Jun 08 '22 16:06 TheMythologist

fixed here thank you https://github.com/kevoreilly/CAPEv2/pull/1414

doomedraven avatar Mar 03 '23 07:03 doomedraven