Can't find embedded OLE object in DOC file

Buffer2018 · December 26, 2023, 9:24am

I am analyzing a MALWARE containing Word document, from CVE-2023-36884.
The file can be downloaded here: MalwareBazaar | Download malware samples (abuse.ch)

My problem is that I cannot find the embedded RTF document within the Aspose.Words.Document object, while I can find it with OpenXML, for example, using the following reference code:

using DocumentFormat.OpenXml.Packaging;

var doc = WordprocessingDocument.Open("infected.doc", false);
var parts = doc.MainDocumentPart.AlternativeFormatImportParts;
using var st = parts.First().GetStream();
using var fs = File.Create("infected.rtf");
st.CopyTo(fs);

The RTF document is embedded as a ‘aFChunk’ part in the DOC file.

alexey.noskov · December 26, 2023, 9:29am

@Buffer2018 While loading document Aspose.Words reads altChunk content and inserts it into the main document. So altChunks are not preserved by Aspose.Words and are no available via Aspose.Words DOM.

Buffer2018 · December 26, 2023, 9:41am

Ok, so does that mean aspose.words is vulnerable to this malware? Will this functionality (identifying embedded chunks) be added to Aspose.Words in the future?

Please see my second question regarding this topic: Cannot find embedded OLE object in RTF file - Free Support Forum - aspose.com

My mission is to identify malicious content and remove it, is it possible to do so for this file using Aspose.Words?

Thanks!
Uriel

alexey.noskov · December 26, 2023, 12:48pm

@Buffer2018 Aspose.Words does not run any external code while loading documents. So it looks like Aspose.Words simply ignores the malformed OLE objects in the document and is not affected by this vulnerability. But we will more closely look at the issue.

We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): WORDSNET-26413

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

alexey.noskov · February 13, 2024, 12:55pm

@Buffer2018 We have completed analyzing the issue. The exploit chain consists of about 20 steps including attacker-controlled SMB server and started from processing objautlink\objupdate RTF control words to download and display malicious content. Also processing of JavaScript and VB is required to do the attack success.
But Aspose.Words doesn’t process objautlink\objupdate RTF control words. Also it doesn’t run any JavaScript or VB scripts while document loading.
So, we are sure Aspose.Words isn’t vulnerable to CVE-2023-36884.

aspose.notifier · March 6, 2024, 9:32am

The issues you have found earlier (filed as WORDSNET-26413) have been fixed in this Aspose.Words for .NET 24.3 update also available on NuGet.