From: Darien Kindlund [kindlund@mitre.org] Sent: Wednesday, February 09, 2005 11:28 AM To: fnc@mitre.org Subject: Re: Microsoft Releases 8 Critical Vulnerabilities - Gain root from simply opening an Office document Hi Fred, Fred Chase wrote: > This reminded me of "POI" and a posting someone made - > turns out it was you! (See below.) Correct. > Is COM Structured Storage the same as POI format? Yes, but technically, there is no "POI format". "POI" is merely a library to read the file format that has many names: - COM Structured Storage - OLE Structured Storage - OLE Compound Document Format Further "customizations" of this basic format yield: - Word File Format - Excel File Format - PowerPoint File Format ...etc. > Also, I've been intending to get the source and jar for your > MS File Format Manipulation Utility: would I still go to isf? The version up on iSF is a little dated. Since then, we've augmented the tools capability to recursively dissect embedded objects within PowerPoint (as well as Word/Excel, but PowerPoint has a completely new obfuscated layer). Most of the operations are still fairly low-level; if you'd like a short briefing on the underlying concepts of how this file format works, I'd be happy to provide one. Various parts of the project are still undergoing development; if you'd like a more recent version of the code, I can try to obtain release authorization (with caveats) from my sponsor. At the very least, I can provide a demonstration of how the tool works, so you can assess its capabilities. Feel free to let me know. -- Darien Kindlund The MITRE Corporation InfoSec Engr / Scientist kindlund@mitre.org - (703) 883-5858 > > > Subject: > [iSF] MS File Format Manipulation Tool > From: > Darien Kindlund > Date: > Tue, 25 Nov 2003 15:32:40 -0500 > To: > INFOSEC-LIST@lists.mitre.org > > Are you interested in Microsoft application file formats? With the > release of the Windows 3.0/3.1 operating systems, Microsoft designed an > interoperable file format designed for use with any Windows-based > application, loosely known as the "MS OLE File System Specification." > > Analogous to .ZIP files, this MS file format stores data in a > hierarchical file system-based structure, where directory and file > entries are considered storages and streams, respectively. Revised in > 1993, Microsoft released the MS OLE v2.0 File System Specification, also > known as Structured Storage or Compound File Format. Microsoft has > released this specification to application developers in order to > promote its use, implementing the base format in all Office application > versions since Office 95. > > As part of the work for my sponsor, I've released a Java-based "MS File > Format Manipulation Utility," capable of: > > - Graphically viewing an internal OLE file system > - Viewing the file system in binary (hex) form > - Deleting specified storages/streams > - Renaming specified storages/streams > - Exporting specified storages/streams to another OLE file system or > translated to physical directories/files > - Importing specified storages/streams [via same methods] > - Defragment an OLE file system (to remove unused space between > storages/streams) > > Subsequently, this tool facilitates understanding application data > within Microsoft Office file formats, such as PowerPoint, Word, and > Excel. Microsoft has not released the technical implementation details > regarding the OLE v2.0 File System Specification but provides a set of > Windows libraries to access data within this format. However, other > open-source efforts exist for manipulating this format. > > This work leverages an existing, open-source effort entitled the "Apache > Jakarta Project: POI File System". > URL: http://jakarta.apache.org/poi/index.html > > Note: POI stands for Microsoft's (P)oorly (O)bfuscated (I)mplementation > of an internal file system. > > This project has a MITRE iSF project URL: > http://developer.mitre.org/projects/oleutil/ > > For detailed questions regarding this project's use, please email me > directly (kindlund@mitre.org) rather than posting to the SourceForge > website, as primary work on this project has been completed. > > Requirements: > Java JRE v1.4.2 > > Source (including JavaDOC) can be downloaded at: > http://download.developer.mitre.org/oleutil/OLEUtil-src.tar.gz > > A complete .JAR file can be downloaded at: > http://download.developer.mitre.org/oleutil/OLEUtil.jar > > Usage: > With the java executable in your path, the basic command style is: > "java -jar OLEUtil.jar [args]" > > For help, you would type: "java -jar OLEUtil.jar -help" > > Use Case Examples: > - Let's say you want to graphically browse the "temp.doc" Word document. > Type: "java -jar OLEUtil.jar -b temp.doc" > > - Let's say you want to get a basic hex output of the "temp.doc" Word > document. > Type: "java -jar OLEUtil.jar -h temp.doc" > It would probably be helpful to pipe the output to a file, since it's > usually long. > Type: "java -jar OLEUtil.jar -b temp.doc > output.txt" > > - Let's say you want to delete the "Macros" storage in the "temp.doc" > Word document. > Type: "java -jar OLEUtil.jar -d temp.doc /Macros" > > - Let's say you want to rename the "Macros" storage to "OldMacros" in > the "temp.doc" Word document. > Type: "java -jar OLEUtil.jar -r temp.doc /Macros /OldMacros" > > - Let's say you want to export ALL storages/streams in the "temp.doc" > Word document out to a directory. > Create the subdirectory "test" by typing: "mkdir test". > We're going to need to create a text file containing all entries to export. > Create a "list.txt" file, with "/.*" as the only text in the file; this > is a regular expression indicating we want to export all > storages/streams from the root storage onward. > Type: "java -jar OLEUtil.jar -e temp.doc list.txt test/" > > - Let's say you want to subsequently import ALL storages/streams within > the "test" subdirectory into a new "temp2.doc" Word document. > Type: "java -jar OLEUtil.jar -i temp.doc list.txt test/" > > - Let's say you want to defragment the "temp.doc" Word document. > Type: "java -jar OLEUtil.jar -x temp.doc" >