rtfobj: added detection of the OLE2Link vulnerability

decalage2
1 parent 26f83bf4
Showing 1 changed file with 9 additions and 2 deletions
oletools/rtfobj.py
@@ -69,8 +69,9 @@ http://www.decalage.info/python/oletools
 #                      - fixed hex decoding bug in RtfObjParser (issue #103)
 # 2017-03-29       PL: - fixed RtfParser to handle issue #152 (control word with
 #                        long parameter)
+# 2017-04-11       PL: - added detection of the OLE2Link vulnerability
  
-__version__ = '0.51dev4'
+__version__ = '0.51dev5'
  
 # ------------------------------------------------------------------------------
 # TODO:
@@ -692,6 +693,7 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
     rtfp = RtfObjParser(data)
     rtfp.parse()
     for rtfobj in rtfp.objects:
+        ole_color = None
         pkg_color = None
         if rtfobj.is_ole:
             ole_column = 'format_id: %d\n' % rtfobj.format_id
@@ -710,6 +712,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
                     pkg_column += '\nEXECUTABLE FILE'
             else:
                 pkg_column = 'Not an OLE Package'
+            # Detect OLE2Link exploit
+            # http://www.kb.cert.org/vuls/id/921560
+            if rtfobj.class_name == 'OLE2Link':
+                ole_color = 'red'
+                ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-TODO)'
         else:
             pkg_column = ''
             ole_column = 'Not a well-formed OLE object'
@@ -719,7 +726,7 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
             '%08Xh' % rtfobj.start,
             ole_column,
             pkg_column
-            ), colors=(None, None, None, pkg_color)
+            ), colors=(None, None, ole_color, pkg_color)
         )
         tstream.write_sep()
     if save_object: