Error Uploading Password Protected ZIP

[Pcktech]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	CentOS 7
OS version (client)	Windows 10
TheHive version / git hash	3.2.1-1
Package Type	RPM
Browser type & version	FireFox 64

Problem Description

Trying to upload a McAfee ENS 10.5 zip file containing a malware sample, ENS automatically ZIPs and adds password 'infected' to it. 7-zip can open the file, but TheHive won't add it as an observable -- no reason given in the UI, just nothing happens when you click Add Observable.

Steps to Reproduce

Fails Under These Conditions:

• Attempt to upload original ZIP with 'infected' password, add as ZIP Archive with 'infected' password.
• Unzip and Rezip using 7-zip with same password.
• Unzip and Rezip with 'test' password.
• Unzip and Rezip with filename 't.zip' and 'test' password.
• Unzip and Rezip with no password (and no password in the observable).
• Created a the folder hierarchy as seen in File Contents (below) with a text file at the bottom of each folder path containing a few words. ZIPed with 'infected.' Attempt to upload still failed.
• Repeated creation of fake contents, removed spaces from path, no change.
• Repeated creation of fake contents, removed parenthesis from path, no change.
• Repeated creation of fake contents, removed both spaces and parenthesis from path, no change.
• Created a folder with one subfolder and a text file in that subfolder, ZIPed with 'infected', no change.
• Removed all subfolders, just textfile remains, ZIPed with 'infected', no change. (Strange this did not work since it worked for the exe below--because a folder containing the file was ZIPed?)

File Contents (for reference):

• Program Files (x86)\<appname>\<subfolder>\app.exe (the quarantined file)
• ProgramData\McAfee\QuarMeta\<GUID> (contains metadata surrounding the quarantined file)

Success Under These Conditions:

• Uncheck "this file is a zipped archive".
• Add Original ZIP to a new ZIP with password 'test' or 'infected' (doesn't matter).
• Extract files, add just the app.exe quarantined file to a new ZIP with the 'infected' password, add as a ZIP Archive with 'infected' password. (Strange this worked when it did not work for the textfile above--because the ZIP was made from the EXE alone?)

This has happened in 3.1 and 3.2.1. Affects quarantined app.exe and app.msi. ZIP routine doesn't like the folders in the archive?

I took a look in /var/log/thehive/application.log and there's an error "org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-18 - POST /api/case//artifact returned 400 java.lang.IllegalArgumentException: Invalid prefix or suffix"

Complementary Information

Backed up and removed application.log. Restarted TheHive. Tried again. The only entry in the file after 18:32 when next I tried adding the original ZIP was:

2018-12-31 18:32:13,024 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-3 - POST /api/case/AWebX26ah8Oryrfdq6ei/artifact returned 400
java.lang.IllegalArgumentException: Invalid prefix or suffix
	at java.nio.file.TempFileHelper.generatePath(TempFileHelper.java:63)
	at java.nio.file.TempFileHelper.create(TempFileHelper.java:127)
	at java.nio.file.TempFileHelper.createTempFile(TempFileHelper.java:161)
	at java.nio.file.Files.createTempFile(Files.java:852)
	at org.elastic4play.services.TempSrv.newTemporaryFile(TempSrv.scala:56)
	at controllers.ArtifactCtrl.controllers$ArtifactCtrl$$extractAndCheckSize(ArtifactCtrl.scala:42)
	at controllers.ArtifactCtrl$$anonfun$$nestedInanonfun$create$1$1.$anonfun$applyOrElse$5(ArtifactCtrl.scala:94)
	at scala.collection.TraversableLike.$anonfun$map$1(TraversableLike.scala:234)
	at scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:59)
	at scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:52)
	at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:48)
	at scala.collection.TraversableLike.map(TraversableLike.scala:234)
	at scala.collection.TraversableLike.map$(TraversableLike.scala:227)
	at scala.collection.AbstractTraversable.map(Traversable.scala:104)
	at controllers.ArtifactCtrl$$anonfun$$nestedInanonfun$create$1$1.applyOrElse(ArtifactCtrl.scala:94)
	at controllers.ArtifactCtrl$$anonfun$$nestedInanonfun$create$1$1.applyOrElse(ArtifactCtrl.scala:80)
	at scala.PartialFunction$Lifted.apply(PartialFunction.scala:224)
	at scala.PartialFunction$Lifted.apply(PartialFunction.scala:220)
	at scala.Option.collect(Option.scala:282)
	at controllers.ArtifactCtrl.$anonfun$create$1(ArtifactCtrl.scala:80)
	at org.elastic4play.controllers.Authenticated$$anon$1.$anonfun$invokeBlock$1(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

Workaround

Created an analyzer for a double password-protected, double zipped collection of files and folders. TheHive strips the password from the Outermost ZIP, then the Analyzer can be run to unzip the Innermost ZIP and add the files within as Observables using TheHive4Py (which of course get the malware password automatically placed on them) allowing other analyzers (e.g. VirusTotal) happily. (Might tinker further to add a toggle between auto-add and artifact/manual-add for files within the ZIP... just happy I've managed this much so far.)

[nadouani]

Hello, can you please run this command

unzip -vl YOUR-FILE.zip

The zip archive that contains protected observables must has a flat structure: no folders in it, just the files to convert as observable.

[Pcktech]

Hello,

The ZIP does not have a flat structure; I wasn't previously aware of that being a requirement (until the testing above), but that seemed to be the 'issue'/case after the testing.

As requested, however, the unzip -vl output:

Archive:  b05b028f-5f1d-452a-b572-f655651d125d.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
 1905664  Defl:N   950611  50% 08-03-2011 20:35 b42cdc72  Program Files (x86)/MicroNiche/WCCMS/ConnectionManager.exe
    3178  Defl:N      881  72% 01-00-1980 00:00 863d7915  ProgramData/McAfee/QuarMeta/b05b028f-5f1d-452a-b572-f655651d125d
--------          -------  ---                            -------
 1908842           951492  50%                            2 files

[nadouani]

I think that the UI should warn the users when something goes wrong during file observable creation, which is the subject of issue #829.