search

NethServer / dev

NethServer issue tracker
https://github.com/NethServer/dev/issues
63 stars 20 forks source link

Disable extended mode for oletools #6334

Closed stephdl closed 3 years ago

stephdl commented 3 years ago

The extended mode of oletools can prone to error with false positive, It is better to disable the extended mode by now, we need more time to study and find a better setting rather to only reject if the oletools find a positive macro inside the email

Proposed solution

we need to set the extended to false in the external_services.conf of rspamd

Alternative solutions

rather than simply reject when we found something positive with oletools, we could

make a score, add a score for each symbol found by oletools (something like 3*1) Do not reject when oletools find some flag like suspicious but eventually just add a score.

Additional context

this is what oletools find in a legitimate email

⬢[filippo@toolbox Downloads]$ olevba CREDEK\ -\ Contratto\ NethService.docx 
olevba 0.56 on Python 3.9.0 - http://decalage.info/python/oletools
===============================================================================
FILE: CREDEK - Contratto NethService.docx
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO word/_rels/settings.xml.rels 
in file: word/_rels/settings.xml.rels - OLE stream: ''
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="file:///Z:\Contratti\AAA%20-%20Modello%20Contratto.dot" TargetMode="External"/></Relationships>
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Template Injection  |Template injection found. A malicious        |
|          |                    |template could have been uploaded from a     |
|          |                    |remote location                              |
+----------+--------------------+---------------------------------------------+
nethbot commented 3 years ago

in 7.9.2009/testing:

stephdl commented 3 years ago

QA

After the upgrade the extended mode is set to false, when oletools finds a macro in the maillog you must have something like this

OLETOOLS(0.00){AutoExec + Suspicious (CheckPrinters_Layout,Shell);}

the extended mode with flags must be disable (see below)

OLETOOLS(0.00){-----AMS;adp_com_Layout;ExecuteExcel4Macro;Chr;Hex Strings;}

federicoballarini commented 3 years ago

On a 7.8.2003 machine.

vi /etc/e-smith/templates/etc/rspamd/local.d/external_services.conf/10base

and changed extended from true to false

expand-template /etc/rspamd/local.d/external_services.conf
signal-event nethserver-mail-filter-update
redis-cli -s /var/run/redis-rspamd/rspamd FLUSHDB

All works fine! Nice job @stephdl. Thanks to @filippocarletti for the patience ;-)

nethbot commented 3 years ago

in 7.9.2009/testing:

nethbot commented 3 years ago

in 7.9.2009/testing:

DavidePrincipi commented 3 years ago

In 7.8.2003/updates: nethserver-mail-2.18.2-1.ns7.src.rpm nethserver-mail-common-2.18.2-1.ns7.noarch.rpm nethserver-mail-disclaimer-2.18.2-1.ns7.noarch.rpm nethserver-mail-filter-2.18.2-1.ns7.noarch.rpm nethserver-mail-getmail-2.18.2-1.ns7.noarch.rpm nethserver-mail-imapsync-2.18.2-1.ns7.noarch.rpm nethserver-mail-ipaccess-2.18.2-1.ns7.noarch.rpm nethserver-mail-p3scan-2.18.2-1.ns7.noarch.rpm nethserver-mail-quarantine-2.18.2-1.ns7.noarch.rpm nethserver-mail-server-2.18.2-1.ns7.noarch.rpm nethserver-mail-smarthost-2.18.2-1.ns7.noarch.rpm

nethbot commented 3 years ago

in 7.9.2009/updates: