Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid detection of RTF as CVE-2017-0199 #23

Open
honeyfairy opened this issue Jun 6, 2022 · 5 comments
Open

Avoid detection of RTF as CVE-2017-0199 #23

honeyfairy opened this issue Jun 6, 2022 · 5 comments

Comments

@honeyfairy
Copy link

The RTF files are being detected as CVE-2017-0199, any pointers or ideas on what we could do to avoid the rtf file being detected as CVE-2017-0199?
@DanusMinimus
Copy link
Contributor

What product is showing the alert?

@honeyfairy
Copy link
Author

Trend micro antivirus and Avast. Also gmail and other mail scanners.

@chvancooten
Copy link
Owner

Hey, AV evasion is explicitly not provided as part of this repo (and hard to maintain since it is open source). I'll keep this issue open for discussion though.

@honeyfairy
Copy link
Author

Hey, AV evasion is explicitly not provided as part of this repo (and hard to maintain since it is open source). I'll keep this issue open for discussion though.

Thank you for keeping it open. It is currently being incorrectly detected as a different CVE.

@DanusMinimus
Copy link
Contributor

DanusMinimus commented Jun 14, 2022
edited
Loading

From what I saw oletools detects this as possible CVE-2017-0199. I guess since it detects the URLMoniker and the OLE2Link class name with the RTF.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@honeyfairy @chvancooten @DanusMinimus