CuckooCriticalError: VirtualBox VBoxManage not found

[woodchalk]

Not sure what's causing this error. Starting everything up with docker-compose up -d. The docker compose file was pulled from https://github.com/blacktop/docker-cuckoo/raw/master/docker-compose.yml outlined in the "Getting Started" guide.

Here's where I'm at with troubleshooting.

⇒  docker ps -a
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS                              PORTS                               NAMES
a99d0a35781f        blacktop/cuckoo:2.0      "/entrypoint.sh web"     About an hour ago   Up About an hour                    1337/tcp, 0.0.0.0:80->31337/tcp     cuckoodockercompose_web_1
847bb4e469da        blacktop/cuckoo:2.0      "/entrypoint.sh api"     About an hour ago   Up About an hour                    31337/tcp, 0.0.0.0:8000->1337/tcp   cuckoodockercompose_api_1
eeeafb0e608c        blacktop/cuckoo:2.0      "/entrypoint.sh da..."   About an hour ago   Exited (1) Less than a second ago                                       cuckoodockercompose_cuckoo_1
289e029bc89a        blacktop/elasticsearch   "/elastic-entrypoi..."   About an hour ago   Up About an hour                    0.0.0.0:9200->9200/tcp, 9300/tcp    cuckoodockercompose_elasticsearch_1
ef4d45e07f77        postgres                 "/docker-entrypoin..."   About an hour ago   Up About an hour                    0.0.0.0:5432->5432/tcp              cuckoodockercompose_postgres_1
145131d0c16b        mongo                    "/entrypoint.sh mo..."   About an hour ago   Up About an hour                    0.0.0.0:27017->27017/tcp            cuckoodockercompose_mongo_1

---

⇒  docker logs cuckoodockercompose_cuckoo_1
===> Use default ports and hosts if not specified...
ES_HOST=
ES_PORT=
MONGO_HOST=
MONGO_TCP_PORT=
POSTGRES_HOST=
POSTGRES_TCP_PORT=
RESULTSERVER=0.0.0.0

===> Update /cuckoo/conf/reporting.conf if needed...




                               ),-.     /
  Cuckoo Sandbox              <(a  `---',' 
     no chance for malwares!  ( `-, ._> )
                               ) _>.___/
                                   _/

 Cuckoo Sandbox 2.0-dev
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

2017-01-20 00:53:18,048 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2017-01-20 00:53:18,158 [root] CRITICAL: CuckooCriticalError: VirtualBox VBoxManage not found at specified path "/usr/bin/VBoxManage"
 Checking for updates...
 You are running a development version! Current stable is 2.0-rc1.

---

⇒  ll /usr/bin/VBoxManage
lrwxrwxrwx 1 root root 27 Jul 12  2016 /usr/bin/VBoxManage -> ../share/virtualbox/VBox.sh

⇒  /usr/bin/VBoxManage -v
5.0.24_Ubuntur108355

[blacktop]

So I need to add the docs that you should update the config files to point at remote machineries only. I mention on the main README.md, but I understand how it can be confusing from the other docs. So the problem is that it is running in docker so VBoxManage doesn't exist inside the container... so we need to go... deeper. :inception-sound: We need a way to talk to binaries outside docker from within docker in a safe way to orchestrate the hypervisor from within the hypervisor!? I have an idea how to do it I just haven't finished it yet.

[carlosotgz]

@blacktop I'm trying to figure out how to perform this "connection". Have you been able to work on it? What are your thoughts? I might be able to implement it if you are too busy for it

[blacktop]

What ideas do you have? Pull requests are always welcome ;)

[carlosotgz]

@blacktop Well, it's more a hack rather than a real solution. I just created a wrapper to VBoxManage that connects to the host and pass the arguments that cuckoo uses to the actual VBoxManage. However, I'm facing some problems with tcpdump and other stuff as the container cannot see the VirtualBox interface, but I think I can apply the same "solution".

Anyway, at the moment I'm able to submit files to cuckoo but directly from within the cuckoo container. It does not work submitting on the web interface. The web interface works, but it seems it does not trigger anything on the actual cuckoo engine. Has it happened to you?

[carlosotgz]

@blacktop btw, the "web" container can see cuckoo container and even reach the port 2042 (cuckoo default). I had to past a different RESULTSERVER to cuckoo in order to bind the service to an IP reachable by VirtualBox, and another RESULTSERVER to all remaining services so they can reach cuckoo internally. However, as said before, it does not trigger the scan process.

[blacktop]

It sounds like you did something similar to this https://github.com/blacktop/vm-proxy

[carlosotgz]

Kinda. I see you have used the web interface VirtualBox provides and made sure to implement all communications performed by Cuckoo. On my part, I simply passed the commands straight forward to the host machine via SSH. I could argue it's more secure and scalable this way, as Cuckcoo can use any VBoxManage commands it needs, and not only those who are already implemented in this translator. What do you think?

I see that you are facing the same problem than me with tcpdump. I will let you know if my solutions works for this case as well.

BTW, any thoughts about why my whole setup seems as it's not completely integrated? I would like to make a PR as soon as I have everything working, but I'm a little stuck with it.

[blacktop]

More secure? You are talking about remote code execution on the host via a "maybe" untrusted docker container 😉 A buddy and I thought of the ssh solution first as well, but it was too scary to do. However, I know there are people that are trying this on some hardware they don't care about so it might be a simple solution that they wouldn't mind doing, but if we add it as an option I would want to warn them of the dangers of using ssh to talk to the host from the container. What do you think?

I prefer my solution as the official way to do it as I am not trusting communication from the container and only let them do the things they need to do and don't trust any input

However, I think a better solution would be to figure out how to use KVM inside docker that way it can all be in docker and you don't have to use these weird hacks?

[blacktop]

To fix your networking issue have you tried telling docker to use the host network? via a cmd like this: docker run --net=host ?

[carlosotgz]

Maybe. I think you are right regarding code execution as it's exactly what the solution is about. However, SSH provides a security layer against tampering and provides authentication as well (obviously), which a plain HTTP connection won't grant, and configuring it would require more stuff. So far I have been thinking about using VirtualBox on the same host that Docker is and, if you had access to the container, you most likely will have direct access to the host too. I agree it can and should be improved in the future (maybe creating a new user on the host limited to run VirtualBox or something like that - haven't thought much about it).

Regarding the connectivity problem, it turns out that the different parts of cuckoo interact with each others via its database and the default configuration uses SQLite, which won't be visible by all the containers. I moved to Postgres but I have found some problems due to missing dependencies (psycopg2) and conflicting dependencies (libressl-dev conflicts with openssl-dev - the former is required by postgres dev library). I have fixed the problem and will make a PR (probably next week) in case anyone wants to use Postgres.

Regarding KVM, what were you thinking? Connect directly to the host via SSH? (sorry if I don't get you - my mind is quite messed up with the VirtualBox thing)

Finally, have you considered some solutions for the tcpdump problem? I see Cuckoo trying to save the resulting pcap file to a local directory (on the host) which does not exist. Furthermore, I'm trying to figure out how I'm going to move that file into the container without touching the Cuckoo source code 😅

[blacktop]

You are missing the point completely. What does it matter if the HTTP connection is tampered with you can only run approved vbox commands and it is trivially add SSL.

In the SSH solution you are trusting that the docker image hasn't been tampered with somewhere in the pipeline and that it is running vbox commands and not rm -rf / commands. With the vm-proxy solution you don't have to change cuckoo's source code at ALL.

That is the balance that I had to consider when I was thinking about how to solve this.

Using the cuckoo KVM machinery would allow for running the Windows VM inside of docker so it would all use the same network and you wouldn't have to talk to VirtualBox is this way escaping the container (talking the the host running the VM from within the VM) It wouldn't require ssh or vm-proxy.

I am going to close this issue as it is not a good place to talk about this as other people who might want to chime in probably don't see or know it is exists so create a PR and we can discuss there.

Thanks!

[tuxx42]

@blacktop, i used your docker file and bindmount /dev/vboxdrv0 into the container, after that i can use VBoxManage from inside your container. Cheers

[blacktop]

holy $%!@ if that works that is awesome!

Did you also map in the VBoxManage binaries? I'll check it out.

      🤠
   💯💯💯💯
  💯  💯 💯
 👇  💯💯 👇
   💯   💯
   💯   💯
   👢   👢

[tuxx42]

Hey, well yes i tried that and it works but then i decided to simply install the same version of the vbox tools inside the image. It works like a charm for me. I derived my dockerfile from yours (much of it will be familiar), but as you can see i'm basing it off of debian:stretch (my host system) $ cat Dockerfile FROM debian:stretch LABEL maintainer "https://github.com/blacktop" ENV CUCKOO_VERSION 2.0.4 ENV CUCKOO_CWD /cuckoo ENV SSDEEP ssdeep-2.13 # Install Cuckoo Sandbox Required Dependencies COPY requirements.txt /tmp/requirements.txt RUN apt-get update && apt-get install -y tcpdump RUN apt-get install -y python \ python-pip \ python-dev \ libffi-dev \ libssl-dev \ python-virtualenv \ python-setuptools \ libjpeg-dev \ zlib1g-dev \ swig \ postgresql \ libpq-dev \ wget \ curl RUN echo deb http://download.virtualbox.org/virtualbox/debian stretch contrib | tee -a /etc/apt/sources.list.d/virtualbox.list \ && wget -qO - https://www.virtualbox.org/download/oracle_vbox_2016.asc | apt-key add - RUN apt-get update && apt-get install -y virtualbox-5.1 RUN wget -q http://download.virtualbox.org/virtualbox/5.1.28/Oracle_VM_VirtualBox_Extension_Pack-5.1.28-117968.vbox-extpack && \ yes | VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.1.28-117968.vbox-extpack RUN pip install cryptography==1.9 RUN echo "===> Install Cuckoo Sandbox..." \ && useradd -u 2000 -m -s /bin/bash -d /cuckoo cuckoo \ && export PIP_NO_CACHE_DIR=off \ && export PIP_DISABLE_PIP_VERSION_CHECK=on \ && pip install --upgrade pip wheel \ && LDFLAGS=-L/lib pip install cuckoo==$CUCKOO_VERSION \ && cuckoo \ && cuckoo community #RUN echo "===> Install mitmproxy..." \ # && LDFLAGS=-L/lib pip install mitmproxy \ # && pip install -r /tmp/requirements.txt \ # && echo "===> Clean up unnecessary files..." \ # && rm -rf /tmp/* RUN pip install flask==0.12.2 && apt-get install swig ENV TINI_VERSION v0.16.1 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /sbin/tini RUN chmod +x /sbin/tini RUN apt-get -y install git && git clone https://github.com/ncopa/su-exec.git && \ cd su-exec && make && install -m 755 su-exec /sbin/su-exec RUN pip install psycopg2 RUN rm -rf /cuckoo/analyzer /cuckoo/monitor && \ cp -r /usr/local/lib/python2.7/dist-packages/cuckoo/data/* /cuckoo && \ touch /cuckoo/.cwd RUN chown -R cuckoo:cuckoo /cuckoo RUN apt-get install python-m2crypto COPY conf /cuckoo/conf COPY update_conf.py /update_conf.py COPY docker-entrypoint.sh /entrypoint.sh COPY local_settings.py /cuckoo/web/local_settings.py WORKDIR /cuckoo VOLUME ["/dev/vboxdrv", "/cuckoo/conf"] EXPOSE 1337 31337 ENTRYPOINT ["/entrypoint.sh"] CMD ["--help"]

…

On Thu, Sep 28, 2017 at 3:57 AM, blacktop ***@***.***> wrote: holy $%!@ if that works that is awesome! Did you also map in the VBoxManage binaries? I'll check it out. 🤠 💯💯💯💯 💯 💯 💯 👇 💯💯 👇 💯 💯 💯 💯 👢 👢 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#9 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABF-HAdDBYxUtYFCbkSbLBQYCS4EEr8iks5smvzzgaJpZM4Lo2tE> .

[blacktop]

can I ask how big that image is?