-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Weird issue when using emca376_agile as an import #81
Comments
Thank you for relaying! After doing some investigation into the issue, I found that it seems that OneNote embedded objects do not re-new IVs for AES-CBC in every 4096 bytes as described in the MS-OFFCRYPTO spec, despite their close similarity. (This is the reason why the corruptions happen only around the boundaries.) I also found that both msoffcrypto-tool and one-extract need some small fixes regarding decryption. They haven't caused this problem, however. I'll report them later. |
Hey Nolze, The only reasonable documentation we found was: I'll keep an eye on this thread if you have any more details concerning this part of your reply:
Thanks, |
Hello,
We maintain a small tool for extracting embedded objects in OneNote documents here:
https://github.com/volexity/threat-intel/tree/main/tools/one-extract
One of the things that is supported is the extracted of password-protected objects, for this we were using the following method from your library:
https://github.com/nolze/msoffcrypto-tool/blob/master/msoffcrypto/method/ecma376_agile.py
One user noticed that at each 4096 byte boundary there were 16 bytes of invalid data that were being added and provided test case files illustrating the issue:
volexity/threat-intel#7
We have added a temporary fix here:
volexity/threat-intel@42dc4f4
It's not 100% clear why our temporary fix (setting the
SEGMENT_LENGTH
value to a size greater than the size of the file) works, some possible hypotheses are:emca376_agile.py
code.emca376_agile.py
, is different (hard to figure out if this is the case, since there isn't a lot of material online describing it in detail.Cheers,
Tom
The text was updated successfully, but these errors were encountered: