MacroMilter bypass with nested ZIP files
Closed this issue · 2 comments
robert-scheck commented
I can bypass MacroMilter by using nested ZIP files, example:
- Sample file
zipwithinfectedandnotinfectedword.zip
will be detected as malicious zip nested.zip zipwithinfectedandnotinfectedword.zip
- Sample file
nested.zip
will not be detected as malicious
2017-10-07 03:38:17,729 - DEBUG: connect from localhost at ('::1', 52922, 0, 0)
2017-10-07 03:38:17,779 - DEBUG: [3] Content-type: 'multipart/mixed'
2017-10-07 03:38:17,779 - DEBUG: [3] Content-type: 'text/plain'
2017-10-07 03:38:17,779 - DEBUG: [3] Analyzing attachment None
2017-10-07 03:38:17,779 - DEBUG: [3] Content-type: 'application/zip'
2017-10-07 03:38:17,779 - DEBUG: [3] Analyzing attachment 'nested.zip'
2017-10-07 03:38:17,779 - DEBUG: Find Attachment with archive extension - File name: nested.zip
2017-10-07 03:38:17,779 - INFO: File in zip detected! Name: zipwithinfectedandnotinfectedword.zip - check for VBA
2017-10-07 03:38:17,780 - DEBUG: The attachment 'nested.zip' is clean.
I initially wanted to test an archive bomb, however this poorly failed. In case the observed behaviour is a bug and gets fixed, please avoid to get vulnerable to archive bombs (by adding max. nesting limits).
sbidy commented
Under development and implemented in testing branch.
Fixed:
- ZipBomb detection
- Extend config with "MAX_ZIP" parameter
- Now detect nested vba-files in archives
robert-scheck commented
Successfully verified with 3.4.3:
- Suspicious macros in nested ZIP files are detected
- Too many nested ZIP files are not handled, but rejected