Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[import-report] Error when importing password protected Recorded Future pdf reports #503

Closed
kudrew opened this issue Oct 4, 2021 · 4 comments
Closed

[import-report] Error when importing password protected Recorded Future pdf reports #503

kudrew opened this issue Oct 4, 2021 · 4 comments
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 5.2.2

Comments

@kudrew
Copy link
Contributor

kudrew commented Oct 4, 2021

Description

Import Report Connector logs indicate an error when importing a pdf from Recorded Future.
Tested this on v4.5.5, v5.0.1 and demo(v5.0.2)

Reproducible Steps

Create a test report and upload and analyze this file, please see attached:

https://demo.opencti.io/dashboard/analysis/reports/3f7e5fa9-de4c-4bdb-91a2-f863aa703d99/files

Expected Output

Actual Output

Import report connectors outputs with:


INFO:root:Importing the file http://10.142.6.52:8080/storage/get/import/Report/8924c464-8ca7-4aad-bf02-6b4c3a378e7b/RF_CobaltStrike.pdf,
INFO:root:Listing Identities with filters null.,
INFO:root:Listing Locations with filters {"key": "entity_type", "values": ["Country"]}.,
INFO:root:Listing Intrusion-Sets with filters null.,
INFO:root:Listing Malwares with filters null.,
INFO:root:Listing Tools with filters null.,
INFO:root:Parsing report RF_CobaltStrike.pdf application/pdf,
ERROR:root:Pdf Parsing Error: Unsupported revision: param={'CF': {'StdCF': {'AuthEvent': /'DocOpen', 'CFM': /'AESV3', 'Length': 32}}, 'Filter': /'Standard', 'Length': 256, 'O': b'\xae\'j\xbb\xf4\xe1\n"\rd2\xf7\r\xcb\xc6\xe82\xaf3\xb8:\x13\xe1d\xb5\x04_f\xb6\xfb\t`\'\xe5l\xff\x84\xc29\xc6\xa4\x88y\xed\xef\xe9X\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 'OE': b'\x1a\xbfV\xb7\x11n\xa8>\xe5N\x06\xe6?\x11\xbeDz\x07\xb2u\x83\x82yiH\r\xeaR\xd2\xe2\xa9\r', 'P': -1324, 'Perms': b'\xfa\xb5w\xde\xa9B\x00T\xf7\xa9?\xb4B\xdb\xb0 ', 'R': 6, 'StmF': /'StdCF', 'StrF': /'StdCF', 'U': b"I\x00\x15\xb6j\x14\xbf\xd6lb\xc2\xe4Rh\xc1\x14\xfb\xc8\xb9Q\xd3\x1c \xbc\xd4\x88'+\x9br\x8e.\x90\x96\xb8}_\xd2\xabHc\xa8F\r\xc3RM\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 'UE': b"\xea\xba\xd0p1\xe6m\xbd\n\xf9'\x88S\xe9\xc6\xe6\xd0\xc2G\xb1#\xc0B\x06.\xe9\xbd\x92\x9fK\xe5\xe5", 'V': 5},
Traceback (most recent call last):,
  File "/opt/opencti-connector-import-report/reportimporter/report_parser.py", line 119, in _parse_pdf,
    for page_layout in extract_pages(file_data):,
  File "/usr/local/lib/python3.9/site-packages/pdfminer/high_level.py", line 147, in extract_pages,
    for page in PDFPage.get_pages(fp, page_numbers, maxpages=maxpages,,
  File "/usr/local/lib/python3.9/site-packages/pdfminer/pdfpage.py", line 128, in get_pages,
    doc = PDFDocument(parser, password=password, caching=caching),
  File "/usr/local/lib/python3.9/site-packages/pdfminer/pdfdocument.py", line 588, in __init__,
    self._initialize_password(password),
  File "/usr/local/lib/python3.9/site-packages/pdfminer/pdfdocument.py", line 614, in _initialize_password,
    handler = factory(docid, param, password),
  File "/usr/local/lib/python3.9/site-packages/pdfminer/pdfdocument.py", line 296, in __init__,
    self.init(),
  File "/usr/local/lib/python3.9/site-packages/pdfminer/pdfdocument.py", line 303, in init,
    raise PDFEncryptionError(error_msg),
pdfminer.pdfdocument.PDFEncryptionError: Unsupported revision: param={'CF': {'StdCF': {'AuthEvent': /'DocOpen', 'CFM': /'AESV3', 'Length': 32}}, 'Filter': /'Standard', 'Length': 256, 'O': b'\x
[RF_CobaltStrike.pdf](https://github.com/OpenCTI-Platform/connectors/files/7279342/RF_CobaltStrike.pdf)
ae\'j\xbb\xf4\xe1\n"\rd2\xf7\r\xcb\xc6\xe82\xaf3\xb8:\x13\xe1d\xb5\x04_f\xb6\xfb\t`\'\xe5l\xff\x84\xc29\xc6\xa4\x88y\xed\xef\xe9X\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 'OE': b'\x1a\xbfV\xb7\x11n\xa8>\xe5N\x06\xe6?\x11\xbeDz\x07\xb2u\x83\x82yiH\r\xeaR\xd2\xe2\xa9\r', 'P': -1324, 'Perms': b'\xfa\xb5w\xde\xa9B\x00T\xf7\xa9?\xb4B\xdb\xb0 ', 'R': 6, 'StmF': /'StdCF', 'StrF': /'StdCF', 'U': b"I\x00\x15\xb6j\x14\xbf\xd6lb\xc2\xe4Rh\xc1\x14\xfb\xc8\xb9Q\xd3\x1c \xbc\xd4\x88'+\x9br\x8e.\x90\x96\xb8}_\xd2\xabHc\xa8F\r\xc3RM\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 'UE': b"\xea\xba\xd0p1\xe6m\xbd\n\xf9'\x88S\xe9\xc6\xe6\xd0\xc2G\xb1#\xc0B\x06.\xe9\xbd\x92\x9fK\xe5\xe5", 'V': 5},
INFO:root:Reporting work update_received opencti-work--b3671670-c758-4e8a-8fab-962732791e7e,
INFO:root:Message (delivery_tag=1) processed, thread terminated
@kudrew kudrew added the bug use for describing something not working as expected label Oct 4, 2021
@nor3th
Copy link
Contributor

nor3th commented Oct 4, 2021

Hey @kudrew

Thanks for reporting this issue. The reason behind this is, that Recorded Future puts encrypts their PDF reports to implement some security measures. This can me circumvented by decrypting the pdf report with an empty password.

qpdf --password='' --decrypt RF_CobaltStrike.pdf out.pdf

I uploaded the out.pdf pdf file and the information extraction worked flawlessly.
I think pdfminer itself does support opening encrypted pdfs, but there seems to be some issue on the pdfminer side. I'll have a look at it.

Is the workaround feasible for you for now?

Regardsm

@nor3th nor3th added feature use for describing a new feature to develop and removed bug use for describing something not working as expected labels Oct 4, 2021
@nor3th nor3th added this to the Release 5.0.2 milestone Oct 4, 2021
@nor3th nor3th changed the title Import Report Connector logs indicate an error when importing a pdf from Recorded Future [import-report] Error when importing password protected Recorded Future pdf reports Oct 4, 2021
@kudrew
Copy link
Contributor Author

kudrew commented Oct 6, 2021

Workaround works well, thanks @nor3th

@nor3th nor3th mentioned this issue Oct 6, 2021
Closed
@Darkheir
Copy link
Contributor

Darkheir commented Mar 22, 2022
edited
Loading

I fixed the decryption issue a while back in pdfminer.six (pdfminer/pdfminer.six#614).

I guess that updating the version of the lib in the requirements would fix the issue: https://github.com/OpenCTI-Platform/connectors/blob/master/internal-import-file/import-document/src/requirements.txt#L4

@nor3th nor3th closed this as completed in 337cb0d Mar 22, 2022
@nor3th
Copy link
Contributor

nor3th commented Mar 22, 2022

Hey @Darkheir Thanks a lot for your efforts!

Regards

@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 5.2.2
Development

No branches or pull requests
4 participants
@Darkheir @SamuelHassine @kudrew @nor3th