target/strelka

Add AES Support to ScanZip/ScanEncryptedZip

ryanohoro opened this issue · 0 comments

ryanohoro commented

Is your feature request related to a problem? Please describe.

ScanZip/ScanEncryptedZip should support AES-encrypted zip files. Scanning an AES encrypted ZIP file currently returns "unsupported_compression".

7zz -slt l f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip 

7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
 64-bit locale=en_US.UTF-8 Threads:128

Scanning the drive for archives:
1 file, 158394 bytes (155 KiB)

Listing archive: f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip

--
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
Type = zip
Physical Size = 158394

----------
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.pdf
Folder = -
Size = 186622
Packed Size = 158138
Modified = 2022-12-23 16:03:28
Created = 
Accessed = 
Attributes =  -rw-r--r--
Encrypted = +
Comment = 
CRC = 
Method = AES-128 Deflate:Maximum
Characteristics = WzAES : Encrypt
Host OS = Unix
Version = 51
Volume Index = 0
Offset = 0


./strelka-oneshot -f f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
cat strelka-oneshot.log | jq

    "scan": {
        "encrypted_zip": {
            "cracked_password": "infected",
            "elapsed": 0.056146,
            "flags": ["unsupported_compression"],
            "total": {
                "extracted": 0,
                "files": 1
            }
        },

Describe the solution you'd like

Use 7zip or pyzipper instead of zipfile to extract zip files.

7zz -slt l f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip 

7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
 64-bit locale=en_US.UTF-8 Threads:128

Scanning the drive for archives:
1 file, 158394 bytes (155 KiB)

Listing archive: f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip

--
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
Type = zip
Physical Size = 158394

----------
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.pdf
Folder = -
Size = 186622
Packed Size = 158138
Modified = 2022-12-23 16:03:28
Created = 
Accessed = 
Attributes =  -rw-r--r--
Encrypted = +
Comment = 
CRC = 
Method = AES-128 Deflate:Maximum
Characteristics = WzAES : Encrypt
Host OS = Unix
Version = 51
Volume Index = 0
Offset = 0

Describe alternatives you've considered

Additional context

AES encryption is widely supported, though not the default for most applications.