onekey-sec/unblob

False Positive Malicious Symlink Removed

Opened this issue · 1 comments

aidan-gibson commented

https://www.downloads.netgear.com/files/GDC/RAXE500/RAXE500-V1.2.13.100_2.0.54.zip

Happens via docker and raw debian install. A cli override for this kinda stuff would be great.

╭────────────────────────────── unblob (24.12.4) ──────────────────────────────╮
│ Output path: /data/output/RAXE500-V1.2.13.100_2.0.54.chk_extract             │
│ Extracted files: 2933                                                        │
│ Extracted directories: 380                                                   │
│ Extracted links: 413                                                         │
│ Extraction directory size: 401.06 MB                                         │
╰────────────────────────────────── Summary ───────────────────────────────────╯
             Chunks distribution             
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━┓
┃ Chunk type          ┃    Size    ┃ Ratio  ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━┩
│ ELF32               │  95.06 MB  │ 29.50% │
│ CHK                 │  78.46 MB  │ 24.34% │
│ SQUASHFS_V4_LE      │  73.19 MB  │ 22.71% │
│ ELF64               │  43.07 MB  │ 13.36% │
│ TAR                 │  14.87 MB  │ 4.61%  │
│ UNKNOWN             │  11.39 MB  │ 3.53%  │
│ LZMA                │  3.46 MB   │ 1.07%  │
│ BZIP2               │  1.79 MB   │ 0.55%  │
│ AR                  │ 1015.72 KB │ 0.31%  │
│ GZIP                │  21.62 KB  │ 0.01%  │
│ CPIO_PORTABLE_ASCII │  512.00 B  │ 0.00%  │
└─────────────────────┴────────────┴────────┘
Chunk identification ratio: 96.47%
              Encountered errors              
┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Severity         ┃ Name                    ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Severity.WARNING │ MaliciousSymlinkRemoved │
│ Severity.WARNING │ MaliciousSymlinkRemoved │
│ Severity.WARNING │ MaliciousSymlinkRemoved │
qkaiser commented

Can you provide the exact command you ran ? I tried with both unblob installed with pip and latest docker image, I don't see that.

docker run --rm --pull always -v /tmp/output:/data/output -v /tmp/input:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/RAXE500-V1.2.13.100_2.0.54.zip
latest: Pulling from onekey-sec/unblob
Digest: sha256:2aaab4f81dc32f256b6dac4ce42fa28cc388ac2f30fa233bf33789b05d29af16
Status: Image is up to date for ghcr.io/onekey-sec/unblob:latest

╭────────────────────────────── unblob (24.12.4) ──────────────────────────────╮
│ Output path: /data/output/RAXE500-V1.2.13.100_2.0.54.zip_extract             │
│ Extracted files: 2937                                                        │
│ Extracted directories: 382                                                   │
│ Extracted links: 416                                                         │
│ Extraction directory size: 478.30 MB                                         │
╰────────────────────────────────── Summary ───────────────────────────────────╯
             Chunks distribution             
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━┓
┃ Chunk type          ┃    Size    ┃ Ratio  ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━┩
│ ELF32               │  95.06 MB  │ 23.79% │
│ CHK                 │  78.46 MB  │ 19.64% │
│ ZIP                 │  77.24 MB  │ 19.33% │
│ SQUASHFS_V4_LE      │  73.19 MB  │ 18.32% │
│ ELF64               │  43.07 MB  │ 10.78% │
│ TAR                 │  14.87 MB  │ 3.72%  │
│ UNKNOWN             │  11.39 MB  │ 2.85%  │
│ LZMA                │  3.46 MB   │ 0.87%  │
│ BZIP2               │  1.79 MB   │ 0.45%  │
│ AR                  │ 1015.72 KB │ 0.25%  │
│ GZIP                │  21.62 KB  │ 0.01%  │
│ CPIO_PORTABLE_ASCII │  512.00 B  │ 0.00%  │
└─────────────────────┴────────────┴────────┘
Chunk identification ratio: 97.15%