rtfobj/oleid: Equation Editor objects not detected
Opened this issue · 0 comments
decalage2 commented
RTF files mentioned in this article contain OLE objects with an equation editor exploit: https://x.com/_CPResearch_/status/1793642302839431502 / https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
Docx (with remote template pointing to RTF)
-
57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b -
2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816 -
0373ef0a7874bd8506dc64dd82ef2c6d7661a3250c8a9bb8cb8cb75a7330c1d2 -
bff674439ea8333b227f6d05caa05b2e3fe592825abd63272d4f1e4c2dfa88ea -
362b9f497fce52a3f14ad9de2a027d974cc810473c929fed7c37526d2f13f83a
RTF (with equation editor exploit and OLE package with DLL)
-
180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69 -
c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151 -
ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38 -
9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31 -
708722bafe35a9fdc94ac33b1970776c464f1bb4e9c2ea1c1dba3a9e1ba03ab3 -
9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31
Several issues to be addressed:
- Equation editor exploit are not detected as such. The keyword "equation" in the class name should be a red flag.
- the OLE class name is not properly reported, i.e. it should be
b'Equation.2'instead ofb'Equation.2\x00\x124Vx\x90\x124VxvT2'(split when a null byte is found) - OLE package objects are not detected as DLL/EXE. ftguess should be used to detect executable files, in addition to checking the file extension.
- some objects are not properly parsed.
- oleid does not report RTF issues
rtfobj output:
rtfobj 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: '180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69.rtf' - size: 283670 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |00002B42h |format_id: 2 (Embedded)
| |class name: b'PACKage'
| |data size: 125952
| |OLE Package object:
| |Filename: '\x11ࡱ\x1aá'
| |Source path: ''
| |Temp path = ''
| |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'
| |File Type: Unknown file type
---+----------+---------------------------------------------------------------
1 |000408A3h |format_id: 2 (Embedded)
| |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'
| |data size: 8485
| |MD5 = 'a0027a66a9081e01907b1fd91ac8613f'
---+----------+---------------------------------------------------------------
2 |00040889h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
===============================================================================
File: '9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31.rtf' - size: 707473 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |0000A3F3h |format_id: 2 (Embedded)
| |class name: b'PACKage'
| |data size: 325120
| |OLE Package object:
| |Filename: '\x11ࡱ\x1aá'
| |Source path: ''
| |Temp path = ''
| |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'
| |File Type: Unknown file type
---+----------+---------------------------------------------------------------
1 |000A9554h |format_id: 2 (Embedded)
| |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'
| |data size: 5775
| |MD5 = '965783e01d6b29e74528f5c3717e553d'
---+----------+---------------------------------------------------------------
2 |000A953Ah |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
===============================================================================
File: 'c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151.rtf' - size: 537175 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |00005983h |format_id: 2 (Embedded)
| |class name: b'PACKage'
| |data size: 246784
| |OLE Package object:
| |Filename: '\x11ࡱ\x1aá'
| |Source path: ''
| |Temp path = ''
| |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'
| |File Type: Unknown file type
---+----------+---------------------------------------------------------------
1 |0007E6E4h |format_id: 2 (Embedded)
| |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'
| |data size: 8485
| |MD5 = '993a0f4852cdca46e9e0ed693c7b3e9a'
---+----------+---------------------------------------------------------------
2 |0007E6CAh |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
===============================================================================
File: 'ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38.rtf' - size: 1654404 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |0000CD46h |format_id: 2 (Embedded)
| |class name: b'Word.Document.12'
| |data size: 85504
| |MD5 = 'ffd84fa2448bb30bb8324d3f2a7c4fdd'
| |CLSID: F4754C9B-64F5-4B40-8AF4-679732AC0607
| |Microsoft Word Document (Word.Document.12)
---+----------+---------------------------------------------------------------
1 |000F0EE6h |format_id: 2 (Embedded)
| |class name: b'PACKage'
| |data size: 326144
| |OLE Package object:
| |Filename: '\x11ࡱ\x1aá'
| |Source path: ''
| |Temp path = ''
| |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'
| |File Type: Unknown file type
---+----------+---------------------------------------------------------------
2 |00190847h |format_id: 2 (Embedded)
| |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'
| |data size: 5775
| |MD5 = 'df51041f0410fcb95955c0e9788e841f'
---+----------+---------------------------------------------------------------
3 |0019082Dh |Not a well-formed OLE object
---+----------+---------------------------------------------------------------