来源

关联漏洞

描述

CAPEv2 reporting/mongodb.py and reporting/jsondump.py allow denial-of-analysis when deeply nested or oversized behavior documents trigger orjson serialization errors or MongoDB BSON size/nesting limits, causing truncated or missing analysis reports.

介绍

# CVE-2025-61301 - CAPEv2: Denial-Of-Analysis via Recursive Process Forking


## Description
Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.

---

## Authors / Researchers

- **Evgenios Gkritsis** - Department of Informatics, Athens University of Economics and Business, Greece  
- **Constantinos Patsakis** - Department of Informatics, University of Piraeus, Greece  
- **George Stergiopoulos** - Department of Informatics, Athens University of Economics and Business, Greece

---

## Details

The root cause of this vulnerability lies in CAPEv2’s handling of large, deeply nested behavior reports generated during dynamic malware analysis.

- **MongoDB BSON Document Size Limit:**  
  CAPEv2 uses MongoDB to store analysis reports, which have a **16 MB BSON document size limit** [1].  
  When reports exceed this size, often due to extensive process trees, API calls, or recursive data,  the database rejects the insert, causing report generation to fail.
  
- **MongoDB Nesting Depth Limit:**  
  MongoDB also enforces a **maximum nesting depth of 100 levels per BSON document**.  
  Recursive malware behaviors can easily exceed this, leading to insert failures even when the document size is under 16 MB.

- **Python JSON Serialization Limits:**  
  CAPEv2 relies on Python’s **orjson** library to serialize results into JSON.  
  Deeply nested or recursive structures cause the serializer to hit Python’s recursion limits, leading to serialization failures and aborted report generation [2].

- **Pruning and Error Handling:**  
  CAPEv2 attempts to mitigate these issues by pruning large portions of the report progressively (removing child nodes or entire process subtrees).  
  However, this is insufficient when behavior complexity surpasses pruning thresholds, resulting in repeated failures to save the report.

---

### Manifestation in Practice

- Analysis jobs with long timeouts and complex payloads produce large reports that trigger these limits.  
- The system logs **MongoDB OperationFailure Code 15** errors and **“Recursion limit reached”** errors during JSON serialization.  
- Final reports often show **no behavioral data** or indicate **failed reporting**, making it appear as if the malware was benign or inactive.  

---

## Impact
This is a denial-of-analysis vulnerability in CAPEv2 that can cause the dynamic analysis engine to fail to capture or report behavioral activity. Exploitation allows adversaries to bypass behavioral detection and produce incomplete or missing analysis reports.

### Key impacts
- **Detection Evasion:** Malicious behavior may not be recorded or reported, causing malware to appear clean or benign in analysis results.  
- **False Confidence:** CAPEv2 can complete analyses with no visible errors while behavior logging has partially or fully failed, giving analysts a misleading sense of security.  
- **Reusable Evasion Technique:** The technique can be embedded into loaders, droppers, or staged payloads, making it reusable across campaigns.  
- **Ease of Exploitation:** The technique is straightforward to reproduce and does not require deep technical expertise, increasing its appeal for mass distribution or red-team tooling.

### Downstream consequences
In pipelines that depend on CAPEv2 for triage or threat intelligence enrichment, this flaw can lead to:
- Missed IOCs  
- Misclassification of advanced threats  
- Incomplete forensic timelines

---

## Affected Products

**CAPEv2 — repository:** `https://github.com/kevoreilly/CAPEv2`

**Relevant commit / build information**
- **Commit Hash:** `52e4b43a2cb508d3483819042cf8e4d8348f3a05`  
- **Commit Date:** Tue, June 17, 2025 — 16:09:50 (UTC+1)  
- **Author:** Kevin O'Reilly (`kevoreilly@gmail.com`)  
- **Branch:** `master`  
- **Relevant PR / Merge:** PR #2624 — `enzok/updates-01`

---

### Evidence Table

The following table presents evidence from multiple analysis tasks, showing how increasing complexity and duration lead to MongoDB and serialization failures, resulting in incomplete or missing behavior reports.

| Timeout (sec) | Custom Settings | Duration (sec) | Logged Processes | BSON Logs (Files / Size) | Report.json Size (KB) | Errors / Warnings | Behavior Status |
|---------------|-----------------|----------------|------------------|--------------------------|-----------------------|------------------|-----------------|
| 60 | enforce-timeout | 413 | 24 | 25 / 126 KB | 613 | – | Behavior OK |
| 60 | – | 252 | 38 | 39 / 200 KB | 923 | – | Behavior OK |
| 60 | full-proc-memory-dumps, import-reconstruction-proc-dumps, enforce-timeout, syscall | 230 | 42 | 43 / 230 KB | 1054 | – | Behavior OK |
| 100 | full-proc-memory-dumps, import-reconstruction-proc-dumps, enforce-timeout, syscall | 330 | 61 | 62 / 318 KB | 1482 | – | Behavior OK |
| 100 | – | 277 | 81 | 82 / 493 KB | 2032 | – | Behavior OK |
| 120 | full-proc-memory-dumps, import-reconstruction-proc-dumps, enforce-timeout, syscall | 340 | 72 | 73 / 383 KB | 1793 | – | Behavior OK |
| 120 | – | – | 88 | 89 / 475 KB | 2228 | – | Behavior OK |
| 180 | full-proc-memory-dumps, import-reconstruction-proc-dumps, enforce-timeout, syscall | 414 | 90 | 91 / 492 KB | 2356 | MongoDB Code 15 | No behavior |
| 180 | – | 323 | 88 | 89 / 475 KB | 2228 | – | Behavior OK |
| 200 | – | 413 | 119 | 120 / 645 KB | 3174 | MongoDB Code 15 | No behavior |
| 200 | full-proc-memory-dumps, import-reconstruction-proc-dumps, enforce-timeout | – | – | 144 / 726 KB | – | Recursion limit reached, MongoDB Code 15 | Failed reporting |
| 300 | – | 513 | 146 | 147 / 779 KB | 3676 | MongoDB Code 15 | No behavior |
| 300 | full-proc-memory-dumps, import-reconstruction-proc-dumps, enforce-timeout, syscall | – | – | 167 / 892 KB | – | Recursion limit reached, MongoDB Code 15 | Failed reporting |

**Table 1:** CAPEv2 analysis results showing correlation between task complexity, report size, and failure conditions.

## Proof Of Concept (PoC)

### Summary
Spawns 5,000 processes and performs multi‑round XOR decryption at runtime to emulate realistic evasion. For custom builds (different recursion rounds, key lengths, or process volumes), contact the authors for a custom version.


**Run the demo:**  
```bash
poc\vathos_demo.exe <IP> <PORT>
```

Make sure a listener is running on the specified IP/PORT (e.g., nc, ncat, Metasploit, or any C2 listener) to observe connection attempts. In a properly functioning sandbox the connection attempt would be visible; under the denial-of-analysis conditions described, the connection may not appear in CAPEv2 reports.


## Suggested CAPEv2 configurations for testing

- **Timeout range:** `180+` seconds

**Options to vary:**
- With / without `full-proc-memory-dumps`
- With / without `import-reconstruction-proc-dumps`
- `store_compressed = yes` and `store_compressed = no`

Ensure MongoDB and `orjson` are using their **default limits** for these tests.

## Expected results

As process-tree depth and complexity increase, reporting failures may occur such as:

- **MongoDB Code 15** (BSON document size exceeded)  
- **BSON nesting limit** exceeded  
- **Python / `orjson` recursion limit** reached

CAPEv2 may:

- Fail to generate full reports  
- Omit behavioral data  
- Display unresponsive behavior in the web interface  
- Fail to detect the malicious activity

Figure 1 - Backend logs shows JSON dump warnings, orjson/serialization errors and MongoDB OperationFailure entries
![Figure 1 - Backend logs](screenshots/cape-01.png)

Figure 2 - Dashboard: failed_analysis
![Figure 2 - analysis job status](screenshots/cape-02.png)

Figure 3 - Behavioral tab: "Sorry! No behavior."
![Figure 3 - behavioral page is empty despite execution](screenshots/cape-03.png)

---

## Severity

The severity of this vulnerability was assessed using the **CVSS v3.1** calculator with the following metrics:

- **Attack Vector:** Local  
- **Attack Complexity:** Low  
- **Privileges Required:** None  
- **User Interaction:** None  
- **Scope:** Unchanged  
- **Confidentiality:** None  
- **Integrity:** None
- **Availability:** Low

**CVSS v3.1 vector:** `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`  
**Estimated CVSS v3.1 base score:** **4.0 (Medium)**
---

## References

1. “MongoDB Limits and Thresholds - Database Manual - MongoDB Docs.” https://www.mongodb.com/docs/manual/reference/limits/  
2. **orjson** — Fast, correct Python JSON library. https://github.com/ijl/orjson

文件快照

 [4.0K]  /data/pocs/e536e0bb842610e82fa276323ce06e6422feb7e0
├── [4.0K]  poc
│   ├── [ 456]  details.txt
│   ├── [2.1K]  encrypt.py
│   ├── [2.6K]  onion.c
│   └── [243K]  vathos_demo.exe
├── [8.6K]  README.md
└── [4.0K]  screenshots
    ├── [199K]  cape-01.png
    ├── [100K]  cape-02.png
    └── [119K]  cape-03.png

2 directories, 8 files

备注