Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sfx: false positives #1212

Open
ElDavoo opened this issue Apr 18, 2024 · 1 comment · May be fixed by fkie-cad/fact_extractor#135
Open

sfx: false positives #1212

ElDavoo opened this issue Apr 18, 2024 · 1 comment · May be fixed by fkie-cad/fact_extractor#135
Labels
bug

Comments

@ElDavoo
Copy link

ElDavoo commented Apr 18, 2024

FACT version

latest commit

Environment

ubuntu noble in docker, https://github.com/ElDavoo/FACT_docker

Steps to reproduce

  1. Analyze a MIPS firmware (I'm using tp-link archer c6 v2 as an example) with cwe_checker

Observed Behavior

Many useless extraction happens, many plugins run on it, most of all cwe_checker that fails and pollutes the logs

Expeced Behavior

Not extracting normal binaries

Installation logs

install.log 
PASTE HERE

Backend logs

fact_main_backend.log

No logs, so output of unpacker plugin of a binary copy-pasted from the web UI:


Plugin Version 	0.1
Plugin 	SFX
Extracted 	5
Output 	

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,16 CPUs Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz (50657),ASM,AES-NI)

Scanning the drive for archives:
1 file, 4293 bytes (5 KiB)

Extracting archive: /tmp/extractor/tmpu_d9bvtr/input/800bc51ac5086482af9e6cd0b76afefee55e6e91521571e33e8d5f0501f5d632_4293
--
Path = /tmp/extractor/tmpu_d9bvtr/input/800bc51ac5086482af9e6cd0b76afefee55e6e91521571e33e8d5f0501f5d632_4293
Type = ELF
Physical Size = 4293
CPU = MIPS
Big-endian = +
Host OS = None
Characteristics = Executable file
Headers Size = 308

Everything is Ok

Files: 7
Size:       4577
Compressed: 4293

entropy 	

0.64

password 	

IeY8omJwGlGkIbJm2FH MV4fLsXE8ieu0gNYwE6Ty

size packed 	

4,037

size unpacked 	

4,577

number of excluded files 	

0

number of unpacked directories 	

0

Frontend logs

fact_main_frontend.log 
PASTE HERE

Other information

I notice that all extracted binaries have extracted section numbered with a single number: the example binary gets extracted to files "0","1","2","4". Maybe this can be used for detection.
Or maybe more specialized tools should be used for detection and extraction of SFX instead of 7-zip.
@ElDavoo ElDavoo added the bug label Apr 18, 2024
@jstucke jstucke linked a pull request Apr 29, 2024 that will close this issue
Open
@jstucke
Copy link
Collaborator

jstucke commented Apr 29, 2024

The problem originates from the SFX unpacking plugin in the extractor. There, the results are already filtered. But there is a special case: If the section header table is stripped from the binary, the files unpacked by 7z are named 0, 1, 2 and so on instead of the section names.

fkie-cad/fact_extractor#135 should fix this (not really an elegant solution but it should work)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SFX unpacker fix for binaries without section headers fkie-cad/fact_extractor
2 participants
@ElDavoo @jstucke