Commit 18dc7e6973034c7933a1b1fad6632bb3111cda34
Merge remote-tracking branch 'origin/master'
Showing
2 changed files
with
17 additions
and
5 deletions
oletools/oleid.py
| ... | ... | @@ -86,13 +86,13 @@ from os.path import dirname, abspath |
| 86 | 86 | # little hack to allow absolute imports even if oletools is not installed |
| 87 | 87 | # (required to run oletools directly as scripts in any directory). |
| 88 | 88 | try: |
| 89 | - from oletools.thirdparty import prettytable | |
| 89 | + from oletools.thirdparty.prettytable import prettytable | |
| 90 | 90 | except ImportError: |
| 91 | 91 | PARENT_DIR = dirname(dirname(abspath(__file__))) |
| 92 | 92 | if PARENT_DIR not in sys.path: |
| 93 | 93 | sys.path.insert(0, PARENT_DIR) |
| 94 | 94 | del PARENT_DIR |
| 95 | - from oletools.thirdparty import prettytable | |
| 95 | + from oletools.thirdparty.prettytable import prettytable | |
| 96 | 96 | |
| 97 | 97 | import olefile |
| 98 | 98 | ... | ... |
oletools/rtfobj.py
| ... | ... | @@ -880,9 +880,16 @@ def process_file(container, filename, data, output_dir=None, save_object=False): |
| 880 | 880 | ole_column += '\nTemp path = %r' % rtfobj.temp_path |
| 881 | 881 | ole_color = 'yellow' |
| 882 | 882 | # check if the file extension is executable: |
| 883 | - _, ext = os.path.splitext(rtfobj.filename) | |
| 884 | - log.debug('File extension: %r' % ext) | |
| 885 | - if re_executable_extensions.match(ext): | |
| 883 | + | |
| 884 | + _, temp_ext = os.path.splitext(rtfobj.temp_path) | |
| 885 | + log.debug('Temp path extension: %r' % temp_ext) | |
| 886 | + _, file_ext = os.path.splitext(rtfobj.filename) | |
| 887 | + log.debug('File extension: %r' % file_ext) | |
| 888 | + | |
| 889 | + if temp_ext != file_ext: | |
| 890 | + ole_column += "\nMODIFIED FILE EXTENSION" | |
| 891 | + | |
| 892 | + if re_executable_extensions.match(temp_ext) or re_executable_extensions.match(file_ext): | |
| 886 | 893 | ole_color = 'red' |
| 887 | 894 | ole_column += '\nEXECUTABLE FILE' |
| 888 | 895 | # else: |
| ... | ... | @@ -897,6 +904,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False): |
| 897 | 904 | if rtfobj.class_name == b'OLE2Link': |
| 898 | 905 | ole_color = 'red' |
| 899 | 906 | ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' |
| 907 | + # Detect Equation Editor exploit | |
| 908 | + # https://www.kb.cert.org/vuls/id/421280/ | |
| 909 | + elif rtfobj.class_name.lower() == b'equation.3': | |
| 910 | + ole_color = 'red' | |
| 911 | + ole_column += '\nPossibly an exploit for the Equation Editor vulnerability (VU#421280, CVE-2017-11882)' | |
| 900 | 912 | else: |
| 901 | 913 | ole_column = 'Not a well-formed OLE object' |
| 902 | 914 | tstream.write_row(( | ... | ... |