Web process crashes due to running sflock with check_shellcode

Question

Web process crashes due to running sflock with check_shellcode

yoniabrahamy opened this issue 9 months ago · 5 comments

Expected Behavior

Submit a file successfully using the /apiv2/tasks/create/file/ API

Current Behavior

I encountered an issue when submitting some samples to our CAPE sandbox instance. The cape-web gunicorn process simply receives SIGABRT and crashes.

It seems that running the functions sflock.ident.identify and sflock.unpack with check_shellcode=True causes these crashes. These functions run as part of lib.cuckoo.core.database._identify_aux_func and lic.cuckoo.common.demux.demux_sflock

Failure Information (for bugs)

The process crashes when submitting the file using /apiv2/tasks/create/file/ and the server returns 502 response.

Looking at journalctl of the web service I can see this:
[2024-07-17 10:40:10 +0000] [782815] [ERROR] Worker (pid:782891) was sent code 134!

Steps to Reproduce

Here is an example of a file from VT which causes the crash: https://www.virustotal.com/gui/file/f29ab757d872152c3d85d3c1fbe7e030993499e79a3d65c2b4cfd75ae5a69fe4
Submitting this file using /apiv2/tasks/create/file/ should currently return 502

Context

Question	Answer
Git commit	`722aced`
OS version	Ubuntu 22.04.2 LTS
Tested Hash	f29ab757d872152c3d85d3c1fbe7e030993499e79a3d65c2b4cfd75ae5a69fe4

Suggested Solution

Looking a bit deeper into sflock source code, it seems the problem lies in sflock.ident.emulate function which runs as part of sflock.ident.detect_shellcode, I'm not sure how to resolve that.

However, I was thinking about making check_shellcode configurable when submitting the file for analysis (as we have no use for it in our CAPE instance). I can open the PR with these changes, but I was wondering if it should be a feature flag in one of the configs, or a parameter you can send as part of the /apiv2/tasks/create/file/ REST API.

Thanks in advance.

Answer 1 · 2024-07-17T13:24:50.000Z

yes open PR please, interesting finding

Answer 2 · 2024-07-19T12:54:09.000Z

I opened a PR.
LMK what you think, thanks again!

Answer 3 · 2024-07-19T14:11:10.000Z

thanks for PR

Answer 4 · 2024-07-19T14:11:37.000Z

well i will keep this open to see on lower level what happens there

Answer 5 · 2024-07-23T09:40:12.000Z

i think this one is related d0edd36 as was able to reproduce your error once, but now i can't reproduce it, so we have option for disable it, but i will add space check too