Error in get_signify

[seihtam]

All plugins are up to date.

Scanning FileZilla_3.38.1_win64-setup_bundled.exe (8de6ddd0687ba0075e10aad4c80dd80a436c4791a3a6d67cdfc7aa14da3ade0d) results in the following output from pescan:

>> docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`:/malice/samples --network="host" malice/engine scan --logs FileZilla_3.38.1_win64-setup_bundled.exe

...

2018-11-29 11:08:28,186 - malice - ERROR - sequence item 0: expected string, int found
Traceback (most recent call last):
  File "/usr/sbin/malice/__init__.py", line 788, in run
    self.results['signature'] = get_signify(self.file, log=log)
  File "/usr/sbin/malice/sig.py", line 22, in get_signify
    s_data.verify()
  File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 232, in verify
    signed_datas = list(self.signed_datas)
  File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 214, in signed_datas
    yield SignedData.from_certificate(certificate['certificate'], pefile=self)
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 126, in from_certificate
    signed_data = SignedData(data, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 111, in __init__
    self._parse()
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 156, in _parse
    self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 54, in __init__
    self._parse()
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 67, in _parse
    super(AuthenticodeSignerInfo, self)._parse()
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 69, in _parse
    required=self._required_authenticated_attributes
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 138, in _parse_attributes
    ([_print_type(x) for x in required], [_print_type(x) for x in result]))
  File "/usr/lib/python2.7/site-packages/signify/__init__.py", line 8, in _print_type
    return ".".join(t)
TypeError: sequence item 0: expected string, int found

...

The error didn't occur with a couple of other exe files i tested.
This may be a bug in pescan itself.

Docker version:

Docker version:
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:49:01 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:16:44 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Docker info (with some info removed):

Docker info:
Containers: 6
 Running: 1
 Paused: 0
 Stopped: 5
Images: 26
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-39-generic
Operating System: Linux Mint 19
OSType: linux
Architecture: x86_64
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

[blacktop]

So it looks like a bug in github.com/jdval/signify, I added a catch all except to at least not crash the whole plugin.

You have vvvvvvery interesting files sir 🤔 😉

Please download plugin again and try again.

Thank you for letting me know! 👍

[seihtam]

I still get almost the same error message:

2018-12-06 11:07:43,242 - malice.get_signify - ERROR - sequence item 0: expected string, int found
Traceback (most recent call last):
  File "/usr/sbin/malice/sig.py", line 22, in get_signify
    s_data.verify()
  File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 232, in verify
    signed_datas = list(self.signed_datas)
  File "/usr/lib/python2.7/site-packages/signify/signed_pe.py", line 214, in signed_datas
    yield SignedData.from_certificate(certificate['certificate'], pefile=self)
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 126, in from_certificate
    signed_data = SignedData(data, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 111, in __init__
    self._parse()
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 156, in _parse
    self.signer_info = AuthenticodeSignerInfo(self.data['signerInfos'][0])
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 54, in __init__
    self._parse()
  File "/usr/lib/python2.7/site-packages/signify/authenticode.py", line 67, in _parse
    super(AuthenticodeSignerInfo, self)._parse()
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 69, in _parse
    required=self._required_authenticated_attributes
  File "/usr/lib/python2.7/site-packages/signify/signerinfo.py", line 138, in _parse_attributes
    ([_print_type(x) for x in required], [_print_type(x) for x in result]))
  File "/usr/lib/python2.7/site-packages/signify/__init__.py", line 8, in _print_type
    return ".".join(t)
TypeError: sequence item 0: expected string, int found

You can download the file from here if you want to test it yourself:
https://filezilla-project.org/download.php?platform=win64

(Same error with the newer FileZilla_3.39.0_win64-setup_bundled.exe (2dee099dd9ee30f466b373110623d1b8904709b9be099722bde19bdcf94dd2c8))