pescan
pescan copied to clipboard
malice-plugins
Error in get_signify
All plugins are up to date.
Scanning FileZilla_3.38.1_win64-setup_bundled.exe (8de6ddd0687ba0075e10aad4c80dd80a436c4791a3a6d67cdfc7aa14da3ade0d) results in the following output from pescan:
>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs FileZilla_3.38.1_win64-setup_bundled.exe
...
2018-11-29 11:08:28,186 - malice - ERROR - sequence item 0: expected string, int found
Traceback (most recent call last):
File "/usr/sbin/malice/__init__.py", line 788, in run
self.results['signature'] = get_signify(self.file, log=log)
File "/usr/sbin/malice/sig.py", line 22, in get_signify
s_data.verify()
File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 232, in verify
signed_datas = list(self.signed_datas)
File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 214, in signed_datas
yield SignedData.from_certificate(certificate['certificate'], pefile=self)
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 126, in from_certificate
signed_data = SignedData(data, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 111, in __init__
self._parse()
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 156, in _parse
self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 54, in __init__
self._parse()
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 67, in _parse
super(AuthenticodeSignerInfo, self)._parse()
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 69, in _parse
required=self._required_authenticated_attributes
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 138, in _parse_attributes
([_print_type(x) for x in required], [_print_type(x) for x in result]))
File "/usr/lib/python2.7/site-packages/signify/__init__.py", line 8, in _print_type
return ".".join(t)
TypeError: sequence item 0: expected string, int found
...
The error didn't occur with a couple of other exe files i tested. This may be a bug in pescan itself.
Docker version:
Docker version:
Client:
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:49:01 2018
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:16:44 2018
OS/Arch: linux/amd64
Experimental: false
Docker info (with some info removed):
Docker info:
Containers: 6
Running: 1
Paused: 0
Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: No swap limit support
So it looks like a bug in github.com/jdval/signify, I added a catch all except to at least not crash the whole plugin.
You have vvvvvvery interesting files sir 🤔 😉
Please download plugin again and try again.
Thank you for letting me know! 👍
I still get almost the same error message:
2018-12-06 11:07:43,242 - malice.get_signify - ERROR - sequence item 0: expected string, int found
Traceback (most recent call last):
File "/usr/sbin/malice/sig.py", line 22, in get_signify
s_data.verify()
File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 232, in verify
signed_datas = list(self.signed_datas)
File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 214, in signed_datas
yield SignedData.from_certificate(certificate['certificate'], pefile=self)
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 126, in from_certificate
signed_data = SignedData(data, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 111, in __init__
self._parse()
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 156, in _parse
self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 54, in __init__
self._parse()
File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 67, in _parse
super(AuthenticodeSignerInfo, self)._parse()
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 69, in _parse
required=self._required_authenticated_attributes
File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 138, in _parse_attributes
([_print_type(x) for x in required], [_print_type(x) for x in result]))
File "/usr/lib/python2.7/site-packages/signify/__init__.py", line 8, in _print_type
return ".".join(t)
TypeError: sequence item 0: expected string, int found
You can download the file from here if you want to test it yourself: https://filezilla-project.org/download.php?platform=win64
(Same error with the newer FileZilla_3.39.0_win64-setup_bundled.exe (2dee099dd9ee30f466b373110623d1b8904709b9be099722bde19bdcf94dd2c8))