Commit 18dc7e6973034c7933a1b1fad6632bb3111cda34
Merge remote-tracking branch 'origin/master'
Showing
2 changed files
with
17 additions
and
5 deletions
oletools/oleid.py
| @@ -86,13 +86,13 @@ from os.path import dirname, abspath | @@ -86,13 +86,13 @@ from os.path import dirname, abspath | ||
| 86 | # little hack to allow absolute imports even if oletools is not installed | 86 | # little hack to allow absolute imports even if oletools is not installed |
| 87 | # (required to run oletools directly as scripts in any directory). | 87 | # (required to run oletools directly as scripts in any directory). |
| 88 | try: | 88 | try: |
| 89 | - from oletools.thirdparty import prettytable | 89 | + from oletools.thirdparty.prettytable import prettytable |
| 90 | except ImportError: | 90 | except ImportError: |
| 91 | PARENT_DIR = dirname(dirname(abspath(__file__))) | 91 | PARENT_DIR = dirname(dirname(abspath(__file__))) |
| 92 | if PARENT_DIR not in sys.path: | 92 | if PARENT_DIR not in sys.path: |
| 93 | sys.path.insert(0, PARENT_DIR) | 93 | sys.path.insert(0, PARENT_DIR) |
| 94 | del PARENT_DIR | 94 | del PARENT_DIR |
| 95 | - from oletools.thirdparty import prettytable | 95 | + from oletools.thirdparty.prettytable import prettytable |
| 96 | 96 | ||
| 97 | import olefile | 97 | import olefile |
| 98 | 98 |
oletools/rtfobj.py
| @@ -880,9 +880,16 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | @@ -880,9 +880,16 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | ||
| 880 | ole_column += '\nTemp path = %r' % rtfobj.temp_path | 880 | ole_column += '\nTemp path = %r' % rtfobj.temp_path |
| 881 | ole_color = 'yellow' | 881 | ole_color = 'yellow' |
| 882 | # check if the file extension is executable: | 882 | # check if the file extension is executable: |
| 883 | - _, ext = os.path.splitext(rtfobj.filename) | ||
| 884 | - log.debug('File extension: %r' % ext) | ||
| 885 | - if re_executable_extensions.match(ext): | 883 | + |
| 884 | + _, temp_ext = os.path.splitext(rtfobj.temp_path) | ||
| 885 | + log.debug('Temp path extension: %r' % temp_ext) | ||
| 886 | + _, file_ext = os.path.splitext(rtfobj.filename) | ||
| 887 | + log.debug('File extension: %r' % file_ext) | ||
| 888 | + | ||
| 889 | + if temp_ext != file_ext: | ||
| 890 | + ole_column += "\nMODIFIED FILE EXTENSION" | ||
| 891 | + | ||
| 892 | + if re_executable_extensions.match(temp_ext) or re_executable_extensions.match(file_ext): | ||
| 886 | ole_color = 'red' | 893 | ole_color = 'red' |
| 887 | ole_column += '\nEXECUTABLE FILE' | 894 | ole_column += '\nEXECUTABLE FILE' |
| 888 | # else: | 895 | # else: |
| @@ -897,6 +904,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | @@ -897,6 +904,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | ||
| 897 | if rtfobj.class_name == b'OLE2Link': | 904 | if rtfobj.class_name == b'OLE2Link': |
| 898 | ole_color = 'red' | 905 | ole_color = 'red' |
| 899 | ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' | 906 | ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' |
| 907 | + # Detect Equation Editor exploit | ||
| 908 | + # https://www.kb.cert.org/vuls/id/421280/ | ||
| 909 | + elif rtfobj.class_name.lower() == b'equation.3': | ||
| 910 | + ole_color = 'red' | ||
| 911 | + ole_column += '\nPossibly an exploit for the Equation Editor vulnerability (VU#421280, CVE-2017-11882)' | ||
| 900 | else: | 912 | else: |
| 901 | ole_column = 'Not a well-formed OLE object' | 913 | ole_column = 'Not a well-formed OLE object' |
| 902 | tstream.write_row(( | 914 | tstream.write_row(( |