Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Another peepdf traceback in cuckoo #167

Closed
michaelweiser opened this issue Jun 11, 2020 · 1 comment
Closed

Another peepdf traceback in cuckoo #167

michaelweiser opened this issue Jun 11, 2020 · 1 comment
Assignees
@michaelweiser
Labels
invalid wontfix
Milestone
2.1

Comments

@michaelweiser
Copy link
Contributor

We have found another sample that triggers a peepdf traceback in cuckoo even with our fixes from hatching/peepdf#9:

020-06-11 15:31:12,666 [cuckoo.apps.apps] INFO: Task #275: reporting task
Process Process-19:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/misc.py", line 152, in _worker
    conn.send(func(*args, **kwargs))
  File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/processing/static.py", line 1029, in _pdf_worker
    return PdfDocument(filepath).run()
  File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/processing/static.py", line 691, in run
    looseMode=True, manualAnalysis=False
  File "/opt/cuckoo/local/lib/python2.7/site-packages/peepdf/PDFCore.py", line 7082, in parse
    ret = body.registerObject(pdfIndirectObject)
  File "/opt/cuckoo/local/lib/python2.7/site-packages/peepdf/PDFCore.py", line 4191, in registerObject
    pdfObject.setCompressedObjectId(id)
  File "/opt/cuckoo/local/lib/python2.7/site-packages/peepdf/PDFCore.py", line 3288, in setCompressedObjectId
    object.setCompressedIn(id)
AttributeError: 'NoneType' object has no attribute 'setCompressedIn'

It seems to be a different code path. This needs analysis and fixing in peepdf and perhaps a rethink if we can and should somehow manage to make these exceptions non-fatal for the cuckoo analysis altogether.
@michaelweiser michaelweiser added this to the 2.1 milestone Jun 11, 2020
@michaelweiser michaelweiser self-assigned this Jun 11, 2020
@michaelweiser
Copy link
Contributor Author

These kinds of backtraces are all follow-up errors to underlying errors masked by cuckoo running peepdf in sloppy mode. This cannot be changed through configuration.

This particular one and its colleagues should be fixed by scVENUS/peepdf#1, also reported upstream at hatching/peepdf#9.

Research in cuckoo by @Jack28 reveals that static analysis can be disabled completely but not selectively for only peepdf. So it's an all or nothing workaround. To make this more granular, the cuckoo code needs to be patched.

Closing this for now as nothing-we-can-do/invalid/wontfix. Anyone feel free to reopen with suggestions how we could improve upon this from the outside.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelweiser michaelweiser

Labels
invalid wontfix
Projects
None yet
Milestone
2.1
Development

No branches or pull requests
1 participant
@michaelweiser