MacroMilter bypass with nested ZIP files

Question

MacroMilter bypass with nested ZIP files

Closed this issue 7 years ago · 2 comments

I can bypass MacroMilter by using nested ZIP files, example:

Sample file zipwithinfectedandnotinfectedword.zip will be detected as malicious
zip nested.zip zipwithinfectedandnotinfectedword.zip
Sample file nested.zip will not be detected as malicious

2017-10-07 03:38:17,729 -    DEBUG: connect from localhost at ('::1', 52922, 0, 0)
2017-10-07 03:38:17,779 -    DEBUG: [3] Content-type: 'multipart/mixed'
2017-10-07 03:38:17,779 -    DEBUG: [3] Content-type: 'text/plain'
2017-10-07 03:38:17,779 -    DEBUG: [3] Analyzing attachment None
2017-10-07 03:38:17,779 -    DEBUG: [3] Content-type: 'application/zip'
2017-10-07 03:38:17,779 -    DEBUG: [3] Analyzing attachment 'nested.zip'
2017-10-07 03:38:17,779 -    DEBUG: Find Attachment with archive extension - File name: nested.zip
2017-10-07 03:38:17,779 -     INFO: File in zip detected! Name: zipwithinfectedandnotinfectedword.zip - check for VBA
2017-10-07 03:38:17,780 -    DEBUG: The attachment 'nested.zip' is clean.

I initially wanted to test an archive bomb, however this poorly failed. In case the observed behaviour is a bug and gets fixed, please avoid to get vulnerable to archive bombs (by adding max. nesting limits).

Answer 1 · 2017-10-10T13:43:24.000Z

Under development and implemented in testing branch.
Fixed:

ZipBomb detection
Extend config with "MAX_ZIP" parameter
Now detect nested vba-files in archives

Answer 2 · 2017-10-31T00:17:09.000Z

Successfully verified with 3.4.3:

Suspicious macros in nested ZIP files are detected
Too many nested ZIP files are not handled, but rejected