diff --git a/README.md b/README.md index 6e7b3f6c..5bde6674 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,9 @@ News - **2019-05-22 v0.54.2**: - bugfix release: fixed several issues related to encrypted documents and XLM/XLF Excel 4 macros + - msoffcrypto-tool is now installed by default to handle encrypted documents + - olevba and msodde now handle documents encrypted with common passwords such + as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically. - **2019-04-04 v0.54**: - olevba, msodde: added support for encrypted MS Office files - olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump) diff --git a/oletools/crypto.py b/oletools/crypto.py index ae80589c..c48d6c22 100644 --- a/oletools/crypto.py +++ b/oletools/crypto.py @@ -90,6 +90,7 @@ def script_main_function(input_file, passwords, crypto_nesting=0, args): # CHANGELOG: # 2019-02-14 v0.01 CH: - first version with encryption check from oleid # 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole +# 2019-05-23 PL: - added DEFAULT_PASSWORDS list __version__ = '0.54.2' @@ -308,6 +309,9 @@ def _is_encrypted_ole(ole): #: using this password WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop' +#: list of common passwords to be tried by default, used by malware +DEFAULT_PASSWORDS = [WRITE_PROTECT_ENCRYPTION_PASSWORD, '123', '1234', '12345', '123456', '4321'] + def _check_msoffcrypto(): """Raise a :py:class:`CryptoLibNotImported` if msoffcrypto not imported.""" @@ -347,7 +351,7 @@ def decrypt(filename, passwords=None, **temp_file_args): if isinstance(passwords, str): passwords = (passwords, ) elif not passwords: - passwords = (WRITE_PROTECT_ENCRYPTION_PASSWORD, ) + passwords = DEFAULT_PASSWORDS # check temp file args if 'prefix' not in temp_file_args: diff --git a/oletools/msodde.py b/oletools/msodde.py index 1a3a2753..07beac1e 100644 --- a/oletools/msodde.py +++ b/oletools/msodde.py @@ -986,10 +986,9 @@ def process_maybe_encrypted(filepath, passwords=None, crypto_nesting=0, decrypted_file = None if passwords is None: - passwords = [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] + passwords = crypto.DEFAULT_PASSWORDS else: - passwords = list(passwords) + \ - [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] + passwords = list(passwords) + crypto.DEFAULT_PASSWORDS try: logger.debug('Trying to decrypt file') decrypted_file = crypto.decrypt(filepath, passwords) diff --git a/oletools/olevba.py b/oletools/olevba.py index 578978e0..1b4a64a5 100644 --- a/oletools/olevba.py +++ b/oletools/olevba.py @@ -3890,8 +3890,7 @@ def process_file(filename, data, container, options, crypto_nesting=0): decrypted_file = None try: log.debug('Checking encryption passwords {}'.format(options.password)) - passwords = options.password + \ - [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] + passwords = options.password + crypto.DEFAULT_PASSWORDS decrypted_file = crypto.decrypt(filename, passwords) if not decrypted_file: log.error('Decrypt failed, run with debug output to get details')