Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oleid/oleobj/msodde: sensibility to zipbomb packaged inside OOXML files #831

Open
guzmud opened this issue Oct 20, 2023 · 0 comments
Open

oleid/oleobj/msodde: sensibility to zipbomb packaged inside OOXML files #831

guzmud opened this issue Oct 20, 2023 · 0 comments
Assignees
@decalage2
Labels
🐛 bug msodde oleid oleobj
Milestone
Next Release

Comments

@guzmud
Copy link

guzmud commented Oct 20, 2023

Affected tool:
oleid, oleobj, msodde

Describe the bug
Packaging a flat zipbomb inside an OOXML file will impact the iter_xml function used by oleid, oleobj and msodde slowing down the parsing almost to an halt (although turning your laptop into a cozy heating system). May not be so much zipbomb related as much as just "feeding a huge file into the xml parser" related.

File/Malware sample to reproduce the bug
Used https://github.com/damianrusinek/zip-bomb/ to produce a quick PoC following this logic:

  1. unzip an OOXML (e.g. agenttesla.xlsx) into unzipped_oxml (agenttesla_xlsx/)
  2. rezip it while adding the bomb using python3 zip-bomb.py -d agenttesla_xlsx/ flat 4096 agenttesla_flat_zipbomb.xlsx

How To Reproduce the bug
Run either oleid, oleobj, msodde on the sample and wait. Then keep waiting.

Expected behavior
Tool is running rather than stuck.

Console output / Screenshots
When doing a keyboard interruption, the stacktrace will always point out towards the iter_xml function (with different stacktrace start depending on the tool used).

^CTraceback (most recent call last):
  File "/usr/local/bin/oleid", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/site-packages/oletools/oleid.py", line 540, in main
    indicators = oleid.check()
  File "/usr/local/lib/python3.8/site-packages/oletools/oleid.py", line 300, in check
    self.check_external_relationships()
  File "/usr/local/lib/python3.8/site-packages/oletools/oleid.py", line 380, in check_external_relationships
    for rel_type, target in oleobj.find_external_relationships(xmlparser):
  File "/usr/local/lib/python3.8/site-packages/oletools/oleobj.py", line 809, in find_external_relationships
    for _, elem, _ in xml_parser.iter_xml(None, False, OOXML_RELATIONSHIP_TAG):
  File "/usr/local/lib/python3.8/site-packages/oletools/ooxml.py", line 556, in iter_xml
    for event, elem in ET.iterparse(handle, events):
  File "/usr/local/lib/python3.8/xml/etree/ElementTree.py", line 1232, in iterator
    pullparser.feed(data)
  File "/usr/local/lib/python3.8/xml/etree/ElementTree.py", line 1274, in feed
    self._parser.feed(data)
KeyboardInterrupt

Version information:

  • OS: Linux
  • Python version: 3
  • oletools version: latest

Additional context
The issue is not raised by the nested approach to zipbomb, at least the one in use in https://github.com/damianrusinek/zip-bomb/ , probably due to the issue being around feeding a huge file into the XML parser (so actually, you may not even require a zipbomb technically, just a huge file ?).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug msodde oleid oleobj
Projects
None yet
Milestone
Next Release
Development

No branches or pull requests
2 participants
@decalage2 @guzmud