Peter M. Groen / oletools

Commit 2e20e6fa62c29eaa9c083489d42ff13d6a957f58

Authored by Alexander Sennhauser
1 parent 04b118c2

ensure uppercase KNOWN_CLSIDS matching

Inline Side-by-side
Showing 4 changed files with 21 additions and 9 deletions
oletools/common/clsid.py
  View file @2e20e6f
@@ -66,10 +66,10 @@ KNOWN_CLSIDS = { @@ -66,10 +66,10 @@ KNOWN_CLSIDS = {
66 '00000306-0000-0000-C000-000000000046': 'Pointer Moniker', 66 '00000306-0000-0000-C000-000000000046': 'Pointer Moniker',
67 '00000308-0000-0000-C000-000000000046': 'Packager Moniker', 67 '00000308-0000-0000-C000-000000000046': 'Packager Moniker',
68 '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)', 68 '00000309-0000-0000-C000-000000000046': 'Composite Moniker (may trigger CVE-2017-8570)',
69 - '0000031a-0000-0000-C000-000000000046': 'Class Moniker', 69 + '0000031A-0000-0000-C000-000000000046': 'Class Moniker',
70 '00000535-0000-0010-8000-00AA006D2EA4': 'ADODB.RecordSet (may trigger CVE-2015-0097)', 70 '00000535-0000-0010-8000-00AA006D2EA4': 'ADODB.RecordSet (may trigger CVE-2015-0097)',
71 - '0002034c-0000-0000-C000-000000000046': 'OutlookAttachMoniker',  
72 - '0002034e-0000-0000-C000-000000000046': 'OutlookMessageMoniker', 71 + '0002034C-0000-0000-C000-000000000046': 'OutlookAttachMoniker',
  72 + '0002034E-0000-0000-C000-000000000046': 'OutlookMessageMoniker',
73 '00020810-0000-0000-C000-000000000046': 'Microsoft Excel.Sheet.5', 73 '00020810-0000-0000-C000-000000000046': 'Microsoft Excel.Sheet.5',
74 '00020811-0000-0000-C000-000000000046': 'Microsoft Excel.Chart.5', 74 '00020811-0000-0000-C000-000000000046': 'Microsoft Excel.Chart.5',
75 '00020820-0000-0000-C000-000000000046': 'Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)', 75 '00020820-0000-0000-C000-000000000046': 'Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)',
@@ -79,7 +79,7 @@ KNOWN_CLSIDS = { @@ -79,7 +79,7 @@ KNOWN_CLSIDS = {
79 '00020833-0000-0000-C000-000000000046': 'Microsoft Excel binary sheet with macro enabled (Excel.SheetBinaryMacroEnabled.12)', 79 '00020833-0000-0000-C000-000000000046': 'Microsoft Excel binary sheet with macro enabled (Excel.SheetBinaryMacroEnabled.12)',
80 '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document (Word.Document.6)', 80 '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document (Word.Document.6)',
81 '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document (Word.Document.8)', 81 '00020906-0000-0000-C000-000000000046': 'Microsoft Word 97-2003 Document (Word.Document.8)',
82 - '00020907-0000-0000-c000-000000000046': 'Microsoft Word Picture (Word.Picture.8)', 82 + '00020907-0000-0000-C000-000000000046': 'Microsoft Word Picture (Word.Picture.8)',
83 '00020C01-0000-0000-C000-000000000046': 'OLE Package Object (may contain and run any file)', 83 '00020C01-0000-0000-C000-000000000046': 'OLE Package Object (may contain and run any file)',
84 '00021401-0000-0000-C000-000000000046': 'Windows LNK Shortcut file', # ref: https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc 84 '00021401-0000-0000-C000-000000000046': 'Windows LNK Shortcut file', # ref: https://github.com/libyal/liblnk/blob/master/documentation/Windows%20Shortcut%20File%20(LNK)%20format.asciidoc
85 '00021700-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)', 85 '00021700-0000-0000-C000-000000000046': 'Microsoft Equation 2.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)',
@@ -180,8 +180,8 @@ KNOWN_CLSIDS = { @@ -180,8 +180,8 @@ KNOWN_CLSIDS = {
180 'D93CE8B5-3BF8-462C-A03F-DED2730078BA': 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)', 180 'D93CE8B5-3BF8-462C-A03F-DED2730078BA': 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)',
181 'DD9DA666-8594-11D1-B16A-00C0F0283628': 'MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)', 181 'DD9DA666-8594-11D1-B16A-00C0F0283628': 'MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)',
182 # Referenced in https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=652438 : 182 # Referenced in https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=652438 :
183 - 'DF630910-1C1D-11d0-AE36-8C0F5E000000': 'pythoncomloader27.dll (related to CVE-2021-27058)',  
184 - 'DFEAF541-F3E1-4c24-ACAC-99C30715084A': 'Silverlight Objects', 183 + 'DF630910-1C1D-11D0-AE36-8C0F5E000000': 'pythoncomloader27.dll (related to CVE-2021-27058)',
  184 + 'DFEAF541-F3E1-4C24-ACAC-99C30715084A': 'Silverlight Objects',
185 'E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4': 'InkEd.InkEdit', 185 'E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4': 'InkEd.InkEdit',
186 'E8CC4CBE-FDFF-11D0-B865-00A0C9081C1D': 'MSDAORA.1 (potential exploit CVE TODO)', # TODO 186 'E8CC4CBE-FDFF-11D0-B865-00A0C9081C1D': 'MSDAORA.1 (potential exploit CVE TODO)', # TODO
187 'E8CC4CBF-FDFF-11D0-B865-00A0C9081C1D': 'Loads OCI.DLL (Known Related to CVE-2015-6128)', 187 'E8CC4CBF-FDFF-11D0-B865-00A0C9081C1D': 'Loads OCI.DLL (Known Related to CVE-2015-6128)',
oletools/oledir.py
  View file @2e20e6f
@@ -125,8 +125,9 @@ def sid_display(sid): @@ -125,8 +125,9 @@ def sid_display(sid):
125 return sid 125 return sid
126 126
127 def clsid_display(clsid): 127 def clsid_display(clsid):
128 - if clsid in KNOWN_CLSIDS:  
129 - clsid += '\n%s' % KNOWN_CLSIDS[clsid] 128 + clsid_upper = clsid.upper()
  129 + if clsid_upper in KNOWN_CLSIDS:
  130 + clsid += '\n%s' % KNOWN_CLSIDS[clsid_upper]
130 color = 'yellow' 131 color = 'yellow'
131 if 'CVE' in clsid: 132 if 'CVE' in clsid:
132 color = 'red' 133 color = 'red'
oletools/rtfobj.py
  View file @2e20e6f
@@ -710,7 +710,7 @@ class RtfObjParser(RtfParser): @@ -710,7 +710,7 @@ class RtfObjParser(RtfParser):
710 if olefile.isOleFile(obj.data): 710 if olefile.isOleFile(obj.data):
711 ole = olefile.OleFileIO(obj.data) 711 ole = olefile.OleFileIO(obj.data)
712 rtfobj.clsid = ole.root.clsid 712 rtfobj.clsid = ole.root.clsid
713 - rtfobj.clsid_desc = clsid.KNOWN_CLSIDS.get(rtfobj.clsid, 713 + rtfobj.clsid_desc = clsid.KNOWN_CLSIDS.get(rtfobj.clsid.upper(),
714 'unknown CLSID (please report at https://github.com/decalage2/oletools/issues)') 714 'unknown CLSID (please report at https://github.com/decalage2/oletools/issues)')
715 except: 715 except:
716 pass 716 pass
tests/common/test_clsid.py 0 → 100644
  View file @2e20e6f
  1 +import unittest
  2 +
  3 +from oletools.common.clsid import KNOWN_CLSIDS
  4 +
  5 +
  6 +class TestCommonClsid(unittest.TestCase):
  7 +
  8 + def test_known_clsids_uppercase(self):
  9 + for k, v in KNOWN_CLSIDS.items():
  10 + k_upper = k.upper()
  11 + self.assertEqual(k, k_upper)