Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A monkey patch in olevba is causing bugs in other part of code unrelated to oletools #602

Closed
matthieuxyz opened this issue Aug 28, 2020 · 2 comments · Fixed by #604
Closed
Assignees
Milestone

Comments

@matthieuxyz
Copy link
Contributor

Affected tool:
olevba

Describe the bug
A monkey patch in olevba is causing bugs in other part of code unrelated to oletools.

File/Malware sample to reproduce the bug
No need for sample

How To Reproduce the bug
Open a python terminal and type:

import email
import oletools.olevba
email.message_from_string('A: a\n.\n\t\n\naaa')

Close and open another python terminal and type:

import email
email.message_from_string('A: a\n.\n\t\n\naaa')

Expected behavior

  • email.message_from_string should return a Message() object and shouldn't raise an exception.

  • email.message_from_string('A: a\n.\n\t\n\naaa').defects should be a list containing a single MissingHeaderBodySeparatorDefect() object.

Console output / Screenshots

Python 3.6.9 (default, Jul 17 2020, 12:50:27) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import email
>>> import oletools.olevba
>>> email.message_from_string('A: a\n.\n\t\n\naaa')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/email/__init__.py", line 38, in message_from_string
    return Parser(*args, **kws).parsestr(s)
  File "/usr/lib/python3.6/email/parser.py", line 68, in parsestr
    return self.parse(StringIO(text), headersonly=headersonly)
  File "/usr/lib/python3.6/email/parser.py", line 57, in parse
    feedparser.feed(data)
  File "/usr/lib/python3.6/email/feedparser.py", line 176, in feed
    self._call_parse()
  File "/usr/lib/python3.6/email/feedparser.py", line 180, in _call_parse
    self._parse()
  File "/usr/lib/python3.6/email/feedparser.py", line 240, in _parsegen
    self._parse_headers(headers)
  File "/usr/lib/python3.6/email/feedparser.py", line 524, in _parse_headers
    assert i>0, "_parse_headers fed line with no : and no leading WS"
AssertionError: _parse_headers fed line with no : and no leading WS
>>> 

Version information:

  • OS: Linux
  • OS version: Ubuntu 18.04 - 64 bits
  • Python version: 3.6 - 64 bits
  • oletools version: 0.55.1

Additional context

Related issue: #32
Line of code causing the problem: https://github.com/decalage2/oletools/blob/master/oletools/olevba.py#L333

@matthieuxyz
Copy link
Contributor Author

We will probably patch oletools internally. My first suggestion would be to simply remove the monkey patch, but I'll first try to understand why it's needed in the first place.

If I find an alternative solution, I will open a pull-request.

@decalage2
Copy link
Owner

The monkeypatch was needed to fix issue #32, because the MIME parser in MS Word (for MHTML files) is less strict than the Python one. Some malicious MHT files were using that trick and could not be analysed by olevba.
Now if the monkeypatch is causing issues in other applications using olevba, I see two solutions:

  1. Only apply the monkeypatch right before parsing MHT files, and revert it just after. Then the email package will only be modified temporarily during very short times, and will work normally otherwise.
  2. Add an option to disable the monkeypatch, for applications that are incompatible with it.

I propose to try solution 1 first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants