Communcation problem between peekaboo and cuckoo

[JannisTriesToCode]

Using the latest version I am running into communication problems between cuckoo and peekaboo.

Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:   File "/opt/cuckoo/local/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:     return self.view_functions[rule.endpoint](**req.view_args)
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:   File "/opt/cuckoo/local/lib/python2.7/site-packages/cuckoo/apps/api.py", line 634, in cuckoo_status
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:     return jsonify(response)
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:   File "/opt/cuckoo/local/lib/python2.7/site-packages/flask/json.py", line 251, in jsonify
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:     if current_app.config['JSONIFY_PRETTYPRINT_REGULAR'] and not request.is_xhr:
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:   File "/opt/cuckoo/local/lib/python2.7/site-packages/werkzeug/local.py", line 347, in __getattr__
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]:     return getattr(self._get_current_object(), name)
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]: AttributeError: 'Request' object has no attribute 'is_xhr'
Feb 12 13:49:40 jannis-VirtualBox cuckoo[1338]: 2020-02-12 13:49:40,367 [werkzeug] INFO: 127.0.0.1 - - [12/Feb/2020 13:49:40] "GET /cuckoo/status HTTP/1.1" 500 -

Feb 12 13:51:30 jannis-VirtualBox peekaboo[7085]: urllib3.connectionpool - (MainThread) - DEBUG - http://127.0.0.1:8090 "GET /cuckoo/status HTTP/1.1" 500 290
Feb 12 13:51:30 jannis-VirtualBox peekaboo[7085]: peekaboo.toolbox.cuckoo - (MainThread) - ERROR - Invalid JSON in response when getting http://127.0.0.1:8090/cuckoo/status: Expecting value: line 1 column 1 (char 0)
Feb 12 13:51:30 jannis-VirtualBox peekaboo[7085]: peekaboo.toolbox.cuckoo - (MainThread) - CRITICAL - Connection to Cuckoo REST API failed

It could be related to the latest update of a dependency of flask. Link

[JannisTriesToCode]

It is in fact related to the mentioned flask dependency. With a targeted upgrade of flask I could resolve this issue:
sudo pip install --system -t /opt/cuckoo/local/lib/python2.7/site-packages --upgrade Flask

[michaelweiser]

Under which circumstances did the error occur? Was it right at startup or during the course of an analysis?

Did you also provide the git master of the Installer with a git master checkout of Peekaboo or did the installer install the releases Peekaboo 1.7 from PyPI? (/opt/peekaboo/bin/pip will report both as 1.7. Apart from looking at the actual installed code the best way to know is that you put a git checkout as PeekabooAV into the installer directory before running it.) If the former, can you retry with current git master of Peekaboo? See second verbatim block of https://github.com/scVENUS/PeekabooAV-Installer#this-is-what-you-type-copy---paste.

A class named Request presumably not containing is_xhr suggests a compatibility issue with some other module, likely something HTTP-related. And indeed grep finds:

$ grep -r is_xhr /opt/cuckoo/lib/python2.7/
/opt/cuckoo/lib/python2.7/site-packages/werkzeug/wrappers/base_request.py:    def is_xhr(self):
/opt/cuckoo/lib/python2.7/site-packages/werkzeug/wrappers/base_request.py:            "'Request.is_xhr' is deprecated as of version 0.13 and will"
/opt/cuckoo/lib/python2.7/site-packages/flask/json.py:    if current_app.config['JSONIFY_PRETTYPRINT_REGULAR'] and not request.is_xhr:

Note the deprecation warning turned up by grep right away. Is it possible that your cuckoo was somehow running with a more recent version of werkzeug from either inside or outside the venv?

What versions of flask and werkzeug were installed before the upgrade and what versions did the upgrade install? cuckoo requires flask==0.12.2 in its setup.py and that's what's installed on my system:

$ /opt/cuckoo/bin/pip list | grep -i flask
Flask              0.12.2
Flask-SQLAlchemy   2.4.0

werkzeug seems to be an indirect dependency and is not directly requested by cuckoo's setup.py. On my system I have:

~$ /opt/cuckoo/bin/pip list | grep -i werk
Werkzeug           0.16.1

As grep showed above that does still contain is_xhr even though deprecated and pip sees no reason to update it:

$ sudo /opt/cuckoo/bin/pip install --upgrade-strategy eager flask
Requirement already satisfied: flask in /opt/cuckoo/lib/python2.7/site-packages (0.12.2)
Requirement already satisfied: click>=2.0 in /opt/cuckoo/lib/python2.7/site-packages (from flask) (6.6)
Requirement already satisfied: Werkzeug>=0.7 in /opt/cuckoo/lib/python2.7/site-packages (from flask) (0.16.1)
Requirement already satisfied: itsdangerous>=0.21 in /opt/cuckoo/lib/python2.7/site-packages (from flask) (1.1.0)
Requirement already satisfied: Jinja2>=2.4 in /opt/cuckoo/lib/python2.7/site-packages (from flask) (2.9.6)
Requirement already satisfied: MarkupSafe>=0.23 in /opt/cuckoo/lib/python2.7/site-packages (from Jinja2>=2.4->flask) (1.1.1)

PyPI does have flask at 1.1.1 and werkzeug at 1.0.0. So flask 0.12.2 is likely actively keeping werkzeug at 0.16.1.

How come you're upgrading your system flask when the installer installs cuckoo in its own virtual environment in /opt/cuckoo? Shouldn't that venv still contain the offending flask (and werkzeug) and still mask the upgraded ones?

[michaelweiser]

sudo pip install --system -t /opt/cuckoo/local/lib/python2.7/site-packages --upgrade Flask

Ah, pip --system -t /opt/cuckoo. Huh. So you are upgrading the venv but using the system pip. I've never tried that but see no reason why it shouldn't work in principile. For simplicity you can just use /opt/cuckoo/bin/pip without special parameters and it will upgrade stuff in the venv.

Anyway, forget my last question above. So we should find out if and how you're ending up with a venv for cuckoo that contains a werkzeug without is_xhr in the first place.

[JannisTriesToCode]

I am using the latest version of peekabooAV.

According to this issue the Werkzeug library (dependency from Flask) recently received a major update (0.16.1 --> 1.0.0) and it looks like Flask (<=0.12.4) does not restrict it. The issue is just 3 days old.

I was actually pretty sure that there must be an easier solution than using the system pip, but I just didn't know how. Thanks for the tip. I will keep it in mind.

[michaelweiser]

Okay, I created a new venv and installed Cuckoo:

$ virtualenv --python=/usr/bin/python2 ~/foo
$ cd ~/cuckoo
$ ~/foo/bin/python setup.py install

This left me with exactly what you describe:

$ ~/foo/bin/pip list | grep -i flask\\\|werkzeug
Flask              0.12.2
Flask-SQLAlchemy   2.4.0
Werkzeug           1.0.0

Pinning dependency versions was supposed to help with this kind of thing: cuckoosandbox/cuckoo#602 but in this case actually achieved the opposite because flask isn't (or wasn't) doing the same.

Okay, so what are our options:

1. (IMO unconditionally) Raise an issue with Cuckoo so they fix their dependency on Flask because it's ultimately a Cuckoo dependency issue. Would you be willing to push this?
2. For the time being we could:
   a. Try to somehow keep Cuckoo's setup.py from pulling in the more recent Werkzeug, e.g. by preinstalling it at the old version and depending on setuptools being lazy on upgrades by default or
   b. Switch into "we know what we're doing mode" and run Cuckoo with recent Flask and Werkzeug, disregarding Cuckoo's pinned dependency versions.

[JannisTriesToCode]

I am willing to raise an issue with Cuckoo. However, I am not entirely sure about the wording. Here would be my suggestion.

There exists a dependency issue with Flask for recent Cuckoo installations, which causes communication problems. Logs can be found here. This issue provides an explanation:

The Werkzeug library (dependency from Flask) recently received a major update (0.16.1 --> 1.0.0) and it looks like Flask (<=0.12.4) does not restrict it.

The problem can be recreated with:

$ virtualenv --python=/usr/bin/python2 ~/foo
$ cd ~/cuckoo
$ ~/foo/bin/python setup.py install

The issue also proposes a solution. Either by upgrading Flask (> 1.0.0) or by restricting the version of Werkzeug (< 1.0)

Feel free to suggest changes. I am very new to this and appreciate every input.

[JannisTriesToCode]

Since I wanted to get the system working asap for my peekaboo yt tutorial I went with option b. For a stable solution I would go with what you suggest as the more experienced.

[michaelweiser]

I am willing to raise an issue with Cuckoo. However, I am not entirely sure about the wording. Here would be my suggestion.

Go for it. :) If you wanted to save the Cuckoo guys some digging through our diagnosis here you could add the cuckoo backtrace from your original report, the grepping I did on the venv and the pip list outputs showing the working and broken version combinations (0.12.2+0.16.1 and 1.1.1.+1.0.0 vs. 0.12.2+1.0.0). You could also circle back to my original question which interaction with cuckoo triggers the error. I'd guess it's any action via the REST api. If you could construct a curl command that triggers it reliably, that'd certainly help to reproduce (they won't have a whole Peekaboo installation around :).

[michaelweiser]

@JannisTriesToCode: Can you have a look at #61 to see if that fixes the issue?

[JannisTriesToCode]

I have only read the your code and tried it out, but it might just work. Let's wait for @Jack28 approval.