Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

olevba/plugin_biff: error variable referenced before assignment #647

Closed
decalage2 opened this issue Dec 1, 2020 · 5 comments
Closed

olevba/plugin_biff: error variable referenced before assignment #647

decalage2 opened this issue Dec 1, 2020 · 5 comments
Assignees
@decalage2
Labels
🐛 bug plugin_biff
Milestone
oletools 0.56

Comments

@decalage2
Copy link
Owner

See https://twitter.com/James_inthe_box/status/1333792970399617025
sample: https://app.any.run/tasks/339739c0-d03f-48a5-a19d-76dd570504e3/
error:
image
@decalage2 decalage2 added this to the Next Release milestone Dec 1, 2020
@decalage2 decalage2 self-assigned this Dec 1, 2020
@scandox
Copy link

scandox commented Mar 5, 2021

Have observed recent malware on which macro detection fails due to this bug. Can provide sample if it is helpful.

@decalage2
Copy link
Owner Author

Yes please, a sample would be helpful. I need to try it with the latest oledump, in case it was already fixed by Didier.

@DidierStevens, were you aware of that bug in plugin_biff (see above), and if so maybe you already fixed it?

@DidierStevens
Copy link

I found a file with exactly the same name on anyrun: https://app.any.run/tasks/339739c0-d03f-48a5-a19d-76dd570504e3

It does not crash plugin_biff.

And neither does it crash olevba.

So if the sample is different, please share it.

@decalage2
Copy link
Owner Author

I just tried it: the bug is still there with olevba (which includes an old version of plugin_biff), but the latest oledump runs without error. So I just need to update the plugin_biff embedded with olevba and it should fix the bug.
(see also issue #649)

@decalage2 decalage2 mentioned this issue Mar 6, 2021
Open
@scandox
Copy link

scandox commented Mar 6, 2021

Sample is: https://app.any.run/tasks/acdc4eeb-dd98-432b-b8f7-b2746f3bbd93

As @decalage2 says it appears oledump no longer has this issue. The two lines below resolved this and we already patched our systems with them and detection is now working:

https:/DidierStevens/DidierStevensSuite/blob/15f24a64047dd879dd33198ef7da930adecde851/plugin_biff.py#L1190
https:/DidierStevens/DidierStevensSuite/blob/15f24a64047dd879dd33198ef7da930adecde851/plugin_biff.py#L1191

@decalage2 decalage2 mentioned this issue Apr 14, 2021
Closed
@decalage2 decalage2 modified the milestones: Next Release, oletools 0.56 Apr 14, 2021
c-rosenberg pushed a commit to HeinleinSupport/oletools that referenced this issue Dec 2, 2021
@decalage2 @c-rosenberg
updated plugin_biff to v0.0.22, fixes decalage2#647, fixes decalage2#674
5a81dab
ljuturu pushed a commit to ljuturu/oletools that referenced this issue Apr 21, 2022
@decalage2
updated plugin_biff to v0.0.22, fixes decalage2#647, fixes decalage2#674
a1172d4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug plugin_biff
Projects
None yet
Milestone
oletools 0.56
Development

No branches or pull requests
3 participants
@scandox @decalage2 @DidierStevens