Incomplete OLE stream + Incorrect OLE FAT, sector index out of range #27

Closed
decalage2 opened this Issue Oct 28, 2015 · 2 comments

Projects

None yet

1 participant

@decalage2
Owner

Originally reported by: Unknown Name (Bitbucket: ganado, GitHub: ganado)


Hello!

I've encountered a parsing error on malware sample. (I could open this file with SSView)

First, incomplete OLE stream error while opening unicode named vba script.

_VBA_PROJECT_CUR/VBA/Лист1

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 753, in __init__
    raise IOError('incomplete OLE stream')
IOError: incomplete OLE stream

and out of range error while opening other vba files ...

"_VBA_PROJECT_CUR/VBA/dir"

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 763, in __init__
    raise IOError('incorrect OLE FAT, sector index out of range')
IOError: incorrect OLE FAT, sector index out of range

Attached is xls file(malware sample), for reproducing the bug.

I am using python 2.7.10, olefile 0.42

Thanks for wonderful project.


@decalage2
Owner

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):


After a lot of troubleshooting, I found the issue: the sample file is slightly malformed. Its header sets the "mini sector cutoff size" to 0, whereas the only allowed value is 4096. If I fix this value in olefile, then all streams can be read without error.

I will publish a new version with that fix soon.

@decalage2
Owner

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):


fixed issue #27 by correcting the MiniFAT sector cutoff size if invalid, slight changes in _OleDirectoryEntry

@decalage2 decalage2 closed this May 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment