Commit 2e20e6fa62c29eaa9c083489d42ff13d6a957f58
1 parent
04b118c2
ensure uppercase KNOWN_CLSIDS matching
Showing
4 changed files
with
21 additions
and
9 deletions
oletools/common/clsid.py
| ... | ... | @@ -66,10 +66,10 @@ KNOWN_CLSIDS = { |
| 66 | 66 | '00000306-0000-0000-C000-000000000046': 'Pointer Moniker', |
| 67 | 67 | '00000308-0000-0000-C000-000000000046': 'Packager Moniker', |
| 68 | 68 | '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)', |
| 69 | - '0000031a-0000-0000-C000-000000000046': 'Class Moniker', | |
| 69 | + '0000031A-0000-0000-C000-000000000046': 'Class Moniker', | |
| 70 | 70 | '00000535-0000-0010-8000-00AA006D2EA4': 'ADODB.RecordSet (may trigger CVE-2015-0097)', |
| 71 | - '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker', | |
| 72 | - '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker', | |
| 71 | + '0002034C-0000-0000-C000-000000000046': 'OutlookAttachMoniker', | |
| 72 | + '0002034E-0000-0000-C000-000000000046': 'OutlookMessageMoniker', | |
| 73 | 73 | '00020810-0000-0000-C000-000000000046': 'Microsoft Excel.Sheet.5', |
| 74 | 74 | '00020811-0000-0000-C000-000000000046': 'Microsoft Excel.Chart.5', |
| 75 | 75 | '00020820-0000-0000-C000-000000000046': 'Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)', |
| ... | ... | @@ -79,7 +79,7 @@ KNOWN_CLSIDS = { |
| 79 | 79 | '00020833-0000-0000-C000-000000000046': 'Microsoft Excel binary sheet with macro enabled (Excel.SheetBinaryMacroEnabled.12)', |
| 80 | 80 | '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document (Word.Document.6)', |
| 81 | 81 | '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document (Word.Document.8)', |
| 82 | - '00020907-0000-0000-c000-000000000046': 'Microsoft Word Picture (Word.Picture.8)', | |
| 82 | + '00020907-0000-0000-C000-000000000046': 'Microsoft Word Picture (Word.Picture.8)', | |
| 83 | 83 | '00020C01-0000-0000-C000-000000000046': 'OLE Package Object (may contain and run any file)', |
| 84 | 84 | '00021401-0000-0000-C000-000000000046': 'Windows LNK Shortcut file', # ref: https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc |
| 85 | 85 | '00021700-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', |
| ... | ... | @@ -180,8 +180,8 @@ KNOWN_CLSIDS = { |
| 180 | 180 | 'D93CE8B5-3BF8-462C-A03F-DED2730078BA': 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)', |
| 181 | 181 | 'DD9DA666-8594-11D1-B16A-00C0F0283628': 'MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)', |
| 182 | 182 | # Referenced in https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=652438 : |
| 183 | - 'DF630910-1C1D-11d0-AE36-8C0F5E000000': 'pythoncomloader27.dll (related to CVE-2021-27058)', | |
| 184 | - 'DFEAF541-F3E1-4c24-ACAC-99C30715084A': 'Silverlight Objects', | |
| 183 | + 'DF630910-1C1D-11D0-AE36-8C0F5E000000': 'pythoncomloader27.dll (related to CVE-2021-27058)', | |
| 184 | + 'DFEAF541-F3E1-4C24-ACAC-99C30715084A': 'Silverlight Objects', | |
| 185 | 185 | 'E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4': 'InkEd.InkEdit', |
| 186 | 186 | 'E8CC4CBE-FDFF-11D0-B865-00A0C9081C1D': 'MSDAORA.1 (potential exploit CVE TODO)', # TODO |
| 187 | 187 | 'E8CC4CBF-FDFF-11D0-B865-00A0C9081C1D': 'Loads OCI.DLL (Known Related to CVE-2015-6128)', | ... | ... |
oletools/oledir.py
| ... | ... | @@ -125,8 +125,9 @@ def sid_display(sid): |
| 125 | 125 | return sid |
| 126 | 126 | |
| 127 | 127 | def clsid_display(clsid): |
| 128 | - if clsid in KNOWN_CLSIDS: | |
| 129 | - clsid += '\n%s' % KNOWN_CLSIDS[clsid] | |
| 128 | + clsid_upper = clsid.upper() | |
| 129 | + if clsid_upper in KNOWN_CLSIDS: | |
| 130 | + clsid += '\n%s' % KNOWN_CLSIDS[clsid_upper] | |
| 130 | 131 | color = 'yellow' |
| 131 | 132 | if 'CVE' in clsid: |
| 132 | 133 | color = 'red' | ... | ... |
oletools/rtfobj.py
| ... | ... | @@ -710,7 +710,7 @@ class RtfObjParser(RtfParser): |
| 710 | 710 | if olefile.isOleFile(obj.data): |
| 711 | 711 | ole = olefile.OleFileIO(obj.data) |
| 712 | 712 | rtfobj.clsid = ole.root.clsid |
| 713 | - rtfobj.clsid_desc = clsid.KNOWN_CLSIDS.get(rtfobj.clsid, | |
| 713 | + rtfobj.clsid_desc = clsid.KNOWN_CLSIDS.get(rtfobj.clsid.upper(), | |
| 714 | 714 | 'unknown CLSID (please report at https://github.com/decalage2/oletools/issues)') |
| 715 | 715 | except: |
| 716 | 716 | pass | ... | ... |
tests/common/test_clsid.py
0 → 100644