From ca08ea6ba5ac91caa185033b746b1f0aa3416b04 Mon Sep 17 00:00:00 2001
From: Javier Rascon <halos@sonar>
Date: Thu, 14 Feb 2019 11:01:57 +0100
Subject: [PATCH] Added detection for CVE-2017-11882 in 'rtfobj'

---
 oletools/rtfobj.py | 5 +++++
 1 file changed, 5 insertions(+), 0 deletions(-)

diff --git a/oletools/rtfobj.py b/oletools/rtfobj.py
index 7179045..1da649d 100644
--- a/oletools/rtfobj.py
+++ b/oletools/rtfobj.py
@@ -897,6 +897,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
             if rtfobj.class_name == b'OLE2Link':
                 ole_color = 'red'
                 ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)'
+            # Detect Equation Editor exploit
+            # https://www.kb.cert.org/vuls/id/421280/
+            elif rtfobj.class_name.lower() == b'equation.3':
+                ole_color = 'red'
+                ole_column += '\nPossibly an exploit for the Equation Editor vulnerability (VU#421280, CVE-2017-11882)'
         else:
             ole_column = 'Not a well-formed OLE object'
         tstream.write_row((
--
libgit2 0.21.4