oledir/clsid: added known-bad CLSIDs from Cuckoo sandbox (issue #290)

decalage2
1 parent 595e0c5a
Showing 1 changed file with 21 additions and 4 deletions
oletools/common/clsid.py
@@ -40,8 +40,9 @@ http://www.decalage.info/python/oletools
 # 2018-04-11 v0.53 PL: - added collection of CLSIDs
 # 2018-04-13       PL: - moved KNOWN_CLSIDS from oledir to common.clsid
 #                  SQ: - several additions by Shiao Qu
+# 2018-04-18       PL: - added known-bad CLSIDs from Cuckoo sandbox (issue #290)
  
-__version__ = '0.53dev3'
+__version__ = '0.53dev5'
  
  
 KNOWN_CLSIDS = {
@@ -50,14 +51,32 @@ KNOWN_CLSIDS = {
     '00020900-0000-0000-C000-000000000046': 'Microsoft Word 6.0-7.0 Document',
     '00020832-0000-0000-C000-000000000046': 'Excel sheet with macro enabled',
     '00020833-0000-0000-C000-000000000046': 'Excel binary sheet with macro enabled',
+
     # OLE Objects
     '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)',
+    'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton',
     '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882 or CVE-2018-0802)',
     'F20DA720-C02F-11CE-927B-0800095AE340': 'Package (may contain and run any file)',
     '0003000C-0000-0000-C000-000000000046': 'Package (may contain and run any file)',
     'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)',
+    # Known-bad CLSIDs from Cuckoo Sandbox:
+    # https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/office.py#L314
+    "BDD1F04B-858B-11D1-B16A-00C0F0283628": "MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)",
+    "996BF5E0-8044-4650-ADEB-0B013914E99C": "MSCOMCTL.ListViewCtrl (may trigger CVE-2012-0158)",
+    "C74190B6-8589-11d1-B16A-00C0F0283628": "MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)",
+    "9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E": "MSCOMCTL.TreeCtrl (may trigger CVE-2012-0158)",
+    "1EFB6596-857C-11D1-B16A-00C0F0283628": "MSCOMCTL.TabStrip (may trigger CVE-2012-1856, CVE-2013-3906)",
+    "66833FE6-8583-11D1-B16A-00C0F0283628": "MSCOMCTL.Toolbar (may trigger CVE-2012-1856)",
+    "DD9DA666-8594-11D1-B16A-00C0F0283628": "MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)",
+    "00000535-0000-0010-8000-00AA006D2EA4": "ADODB.RecordSet (may trigger CVE-2015-0097)",
+    "0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC": "MSScriptControl.ScriptControl (may trigger CVE-2015-0097)",
+    "05741520-C4EB-440A-AC3F-9643BBC9F847": "otkloadr.WRLoader (may trigger CVE-2015-1641)",
     'A08A033D-1A75-4AB6-A166-EAD02F547959': 'otkloadr CWRAssembly Object (may trigger CVE-2015-1641)',
-    'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton',
+    # TODO "F4754C9B-64F5-4B40-8AF4-679732AC0607": "Microsoft Word Document (may trigger CVE-2015-1641)", ???
+    "4C599241-6926-101B-9992-00000B65C6F9": "Forms.Image (may trigger CVE-2015-2424)",
+    "44F9A03B-A3EC-4F3B-9364-08E0007F21DF": "Control.TaskSymbol (may trigger CVE-2015-2424)",
+    '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)',
+
     # Monikers
     '00000303-0000-0000-C000-000000000046': 'File Moniker (may trigger CVE-2017-0199 or CVE-2017-8570)',
     '00000304-0000-0000-C000-000000000046': 'Item Moniker',
@@ -74,7 +93,5 @@ KNOWN_CLSIDS = {
     # ref: https://justhaifei1.blogspot.nl/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
     '06290BD2-48AA-11D2-8432-006008C3FBFC': 'Factory bindable using IPersistMoniker (scripletfile)',
     '06290BD3-48AA-11D2-8432-006008C3FBFC': 'Script Moniker, aka Moniker to a Windows Script Component (may trigger CVE-2017-0199)',
-
-    '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)',
 }