Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic(parser) has been added to allow for RTF files processing. Currently, the new parser provides basic data extraction capabilities. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: Second development iteration.
Known Issues: Some data obfuscation types are not supported.
Detailed Summary
New code logic has been added to IRIS-H to allow for Rich Text Format (RTF) files processing. The 'Submission' page will now accept RTF file upload and pass it for further processing which includes the following:
- extract document metadata
- identify and parse embedded objects
- extract font table
- detect languages used in the document
- provide description for all extracted data
Currently, the parsing module only provides essential processing. The module was tested with a good number of malicious RTF files and seems to be relatively stable handling the majority of obfuscation techniques. Thanks to @James_inthe_box for providing the samples!
Example Reports
https://iris-h.services/report/c3d93db2aa5aaf4f821548e15d79946e - CVE-2017-11882
https://iris-h.services/report/247f2739e20053ea397b748c35398c63 - OLE Autolink update using SoapMoniker
https://iris-h.services/report/fea6546e3299a31a58a3aa2a6b7060c9 - ASLR/DEP evasion using msvbvm60.dll (СVE-2017-11826 precursor)