Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use original file name when analysing #82

Closed
Thorsten-Sick opened this issue May 6, 2019 · 3 comments
Closed

Use original file name when analysing #82

Thorsten-Sick opened this issue May 6, 2019 · 3 comments
Assignees
@michaelweiser
Labels
enhancement
Milestone
2.0

Comments

@Thorsten-Sick
Copy link

Use the "original" name and path of the file that is run in Cuckoo. To avoid detection of the analysis environment.
@Thorsten-Sick Thorsten-Sick mentioned this issue May 6, 2019
Closed
@michaelweiser michaelweiser added this to the 2.0 milestone May 7, 2019
@michaelweiser michaelweiser self-assigned this May 7, 2019
@michaelweiser
Copy link
Contributor

I just had a look at the cuckoo submit code and there does not seem an option to pass a target for analysis while specifying an alternative name to use when placing it into the analysis environment. That'd mean we'd have to really give the file the original name in the local filesystem before submit, which, as @Jack28 explained in #81, is generally considered a bad idea because it means blindly using unvalidated/-able user input. Just think path traversal (../../../../../etc/passwd) or suchlike - whatever the actual exploit might be there.

With the REST API it's a different story: Since we're uploading the file content and name in a POST request, they're separate pieces of information which we could simply lie about: We'd still have our own temporary file named any odd way we like it to but when uploading to Cuckoo we should be able to put the original name from the mail attachment into the POST request (if available).

Need to look at an actual REST API /tasks/create/file POST request to verify and will report back.

michaelweiser added a commit to michaelweiser/PeekabooAV that referenced this issue May 7, 2019
@michaelweiser
Submit sample with its original filename to Cuckoo
92762a7 
When using the REST API, submit the sample with its original filename if
available via the new name_declared (meta info) property.

Closes scVENUS#81 and scVENUS#82 when using api mode. No plans to add this to embed
mode as well since it's deprecated anyway.
@michaelweiser
Copy link
Contributor

Okay, most everything was already in place and just needed the declared name exposed to it. Needs a bit more testing but should work nicely, IMO.

michaelweiser added a commit to michaelweiser/PeekabooAV that referenced this issue May 8, 2019
@michaelweiser
Submit sample with its original filename to Cuckoo
3d7882d 
When using the REST API, submit the sample with its original filename if
available via the new name_declared (meta info) property.

Closes scVENUS#81 and scVENUS#82 when using api mode. No plans to add this to embed
mode as well since it's deprecated anyway.
michaelweiser added a commit to michaelweiser/PeekabooAV that referenced this issue May 9, 2019
@michaelweiser
Submit sample with its original filename to Cuckoo
91712f6 
When using the REST API, submit the sample with its original filename if
available via the new name_declared (meta info) property.

Closes scVENUS#81 and scVENUS#82 when using api mode. No plans to add this to embed
mode as well since it's deprecated anyway.
@michaelweiser
Copy link
Contributor

Resolved by #84.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelweiser michaelweiser

Labels
enhancement
Projects
None yet
Milestone
2.0
Development

No branches or pull requests
2 participants
@Thorsten-Sick @michaelweiser