You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 9, 2020. It is now read-only.
PunKeel edited this page Mar 29, 2017
·
1 revision
How are RTF files sanitized?
RTF files are not that common nowadays, but it is a simple format and is a
perfect bleach example: short but complete.
An RTF file looks like a bunch of {\tag content} elements, where
tag describes what kind of thing is there. For instance, {\p Hello, World}
creates a paragraph with the text "Hello, World" inside. Easy.
To my knowledge, apart from parser exploits, the only way to have a malicious
software into an RTF is the obj tag: it embeds an OLE2 binary content (think,
VBA macro, but unreadable) that may be an executable, an image, ... To sanitize
the RTF, we just replace every instance of "\obj" with "\0bj" (a zero instead of
the letter o). An RTF parser will skip that tag (unknown), and the exploit will
likely fail.