View Issue Details

Jump to NotesJump to History
<<>>
IDProjectCategoryView StatusDate SubmittedLast Update
0000522fileGeneralpublic2024-05-06 21:122024-05-13 12:01
Reportergdesmar Assigned Tochristos  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version5.45 
Summary0000522: Python script identified as .ini with dos newlines
DescriptionYou will find the inidos.py file attached in the zip archive (password zippy). The python script may not make the most sense, as it was edited to remove any malicious behaviour from the original sample.
When I use libmagic/file on the python script, it gets identified as a "Generic INItialization configuration" file.
If I convert the file to unix newlines using dos2unix, it gets identified as a "Python script, ASCII text executable" file. (Great!)
If I keep the dos newlines and remove the first line, which is empty, it gets identified as a "ASCII text, with CRLF line terminators" file.

I am not certain I will be able to help much more regarding the cause of the misidentification, but I am available and happy to try to answer any question to help.
Thank you!
Steps To ReproduceI started a docker container with debian:12.5 (libmagic 5.44) and debian:trixie (libmagic 5.45) to test both version after installing them with `apt update && apt install -y file`.
Additional InformationThis issue was first raised on the Assemblyline issue tracker (https://github.com/CybercentreCanada/assemblyline/issues/213).
The password for the zip file is "zippy".
Tagsini, python

Activities

gdesmar

2024-05-06 21:12

reporter  

inidos.py.zip (1,086 bytes)

christos

2024-05-12 18:28

manager   ~0004043

unzip says password incorrect.

gdesmar

2024-05-13 12:01

reporter   ~0004047

I'm sorry for the misunderstanding. Could we confirm the zip file hash that you get when you download it?
I tried to redownload it from this ticket, and was able to open it with 7zip 23.01, unzip 6.00 and on a Windows computer using Windows Explorer.

In case it does not work, I uploaded the file to Pastebin (https://pastebin.com/raw/i7RDtM8Z) from where I was able to do a wget and get the same hash as the original python script in the zip file.
zippy.png (49,056 bytes)   
zippy.png (49,056 bytes)   

Issue History

Date Modified Username Field Change
2024-05-06 21:12 gdesmar New Issue
2024-05-06 21:12 gdesmar Tag Attached: ini
2024-05-06 21:12 gdesmar Tag Attached: python
2024-05-06 21:12 gdesmar File Added: inidos.py.zip
2024-05-12 18:28 christos Assigned To => christos
2024-05-12 18:28 christos Status new => assigned
2024-05-12 18:28 christos Status assigned => feedback
2024-05-12 18:28 christos Note Added: 0004043
2024-05-13 12:01 gdesmar Note Added: 0004047
2024-05-13 12:01 gdesmar File Added: zippy.png
2024-05-13 12:01 gdesmar Status feedback => assigned