MacroMilter bypass with nested ZIP files

[robert-scheck]

I can bypass MacroMilter by using nested ZIP files, example:

1. Sample file zipwithinfectedandnotinfectedword.zip will be detected as malicious
2. zip nested.zip zipwithinfectedandnotinfectedword.zip
3. Sample file nested.zip will not be detected as malicious

2017-10-07 03:38:17,729 -    DEBUG: connect from localhost at ('::1', 52922, 0, 0)
2017-10-07 03:38:17,779 -    DEBUG: [3] Content-type: 'multipart/mixed'
2017-10-07 03:38:17,779 -    DEBUG: [3] Content-type: 'text/plain'
2017-10-07 03:38:17,779 -    DEBUG: [3] Analyzing attachment None
2017-10-07 03:38:17,779 -    DEBUG: [3] Content-type: 'application/zip'
2017-10-07 03:38:17,779 -    DEBUG: [3] Analyzing attachment 'nested.zip'
2017-10-07 03:38:17,779 -    DEBUG: Find Attachment with archive extension - File name: nested.zip
2017-10-07 03:38:17,779 -     INFO: File in zip detected! Name: zipwithinfectedandnotinfectedword.zip - check for VBA
2017-10-07 03:38:17,780 -    DEBUG: The attachment 'nested.zip' is clean.

I initially wanted to test an archive bomb, however this poorly failed. In case the observed behaviour is a bug and gets fixed, please avoid to get vulnerable to archive bombs (by adding max. nesting limits).

[sbidy]

Under development and implemented in testing branch.
Fixed:

• ZipBomb detection
• Extend config with "MAX_ZIP" parameter
• Now detect nested vba-files in archives

[robert-scheck]

Successfully verified with 3.4.3:

• Suspicious macros in nested ZIP files are detected
• Too many nested ZIP files are not handled, but rejected