You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Packaging a flat zipbomb inside an OOXML file will impact the iter_xml function used by oleid, oleobj and msodde slowing down the parsing almost to an halt (although turning your laptop into a cozy heating system). May not be so much zipbomb related as much as just "feeding a huge file into the xml parser" related.
unzip an OOXML (e.g. agenttesla.xlsx) into unzipped_oxml (agenttesla_xlsx/)
rezip it while adding the bomb using python3 zip-bomb.py -d agenttesla_xlsx/ flat 4096 agenttesla_flat_zipbomb.xlsx
How To Reproduce the bug
Run either oleid, oleobj, msodde on the sample and wait. Then keep waiting.
Expected behavior
Tool is running rather than stuck.
Console output / Screenshots
When doing a keyboard interruption, the stacktrace will always point out towards the iter_xml function (with different stacktrace start depending on the tool used).
^CTraceback (most recent call last):
File "/usr/local/bin/oleid", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.8/site-packages/oletools/oleid.py", line 540, in main
indicators = oleid.check()
File "/usr/local/lib/python3.8/site-packages/oletools/oleid.py", line 300, in check
self.check_external_relationships()
File "/usr/local/lib/python3.8/site-packages/oletools/oleid.py", line 380, in check_external_relationships
for rel_type, target in oleobj.find_external_relationships(xmlparser):
File "/usr/local/lib/python3.8/site-packages/oletools/oleobj.py", line 809, in find_external_relationships
for _, elem, _ in xml_parser.iter_xml(None, False, OOXML_RELATIONSHIP_TAG):
File "/usr/local/lib/python3.8/site-packages/oletools/ooxml.py", line 556, in iter_xml
for event, elem in ET.iterparse(handle, events):
File "/usr/local/lib/python3.8/xml/etree/ElementTree.py", line 1232, in iterator
pullparser.feed(data)
File "/usr/local/lib/python3.8/xml/etree/ElementTree.py", line 1274, in feed
self._parser.feed(data)
KeyboardInterrupt
Version information:
OS: Linux
Python version: 3
oletools version: latest
Additional context
The issue is not raised by the nested approach to zipbomb, at least the one in use in https://github.com/damianrusinek/zip-bomb/ , probably due to the issue being around feeding a huge file into the XML parser (so actually, you may not even require a zipbomb technically, just a huge file ?).
The text was updated successfully, but these errors were encountered:
Affected tool:
oleid, oleobj, msodde
Describe the bug
Packaging a flat zipbomb inside an OOXML file will impact the
iter_xml
function used byoleid
,oleobj
andmsodde
slowing down the parsing almost to an halt (although turning your laptop into a cozy heating system). May not be so much zipbomb related as much as just "feeding a huge file into the xml parser" related.File/Malware sample to reproduce the bug
Used https://github.com/damianrusinek/zip-bomb/ to produce a quick PoC following this logic:
agenttesla.xlsx
) into unzipped_oxml (agenttesla_xlsx/
)python3 zip-bomb.py -d agenttesla_xlsx/ flat 4096 agenttesla_flat_zipbomb.xlsx
How To Reproduce the bug
Run either oleid, oleobj, msodde on the sample and wait. Then keep waiting.
Expected behavior
Tool is running rather than stuck.
Console output / Screenshots
When doing a keyboard interruption, the stacktrace will always point out towards the
iter_xml
function (with different stacktrace start depending on the tool used).Version information:
Additional context
The issue is not raised by the nested approach to zipbomb, at least the one in use in https://github.com/damianrusinek/zip-bomb/ , probably due to the issue being around feeding a huge file into the XML parser (so actually, you may not even require a zipbomb technically, just a huge file ?).
The text was updated successfully, but these errors were encountered: