Weird issue when using emca376_agile as an import #81
Comments
|
Thank you for relaying! After doing some investigation into the issue, I found that it seems that OneNote embedded objects do not re-new IVs for AES-CBC in every 4096 bytes as described in the MS-OFFCRYPTO spec, despite their close similarity. (This is the reason why the corruptions happen only around the boundaries.) I also found that both msoffcrypto-tool and one-extract need some small fixes regarding decryption. They haven't caused this problem, however. I'll report them later. |
|
Hey Nolze, The only reasonable documentation we found was: I'll keep an eye on this thread if you have any more details concerning this part of your reply:
Thanks, |
Hello,
We maintain a small tool for extracting embedded objects in OneNote documents here:
https://github.com/volexity/threat-intel/tree/main/tools/one-extract
One of the things that is supported is the extracted of password-protected objects, for this we were using the following method from your library:
https://github.com/nolze/msoffcrypto-tool/blob/master/msoffcrypto/method/ecma376_agile.py
One user noticed that at each 4096 byte boundary there were 16 bytes of invalid data that were being added and provided test case files illustrating the issue:
volexity/threat-intel#7
We have added a temporary fix here:
volexity/threat-intel@42dc4f4
It's not 100% clear why our temporary fix (setting the
SEGMENT_LENGTHvalue to a size greater than the size of the file) works, some possible hypotheses are:emca376_agile.pycode.emca376_agile.py, is different (hard to figure out if this is the case, since there isn't a lot of material online describing it in detail.Cheers,
Tom
The text was updated successfully, but these errors were encountered: