Compound File incorrectly recognised as FPX

Started by decalage, September 25, 2019, 04:14:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

decalage

September 25, 2019, 04:14:30 PM
Hello, I would like to report a bug in ExifTool:
In some cases it reports that a file type is FPX/FlashPix, whereas it is another kind of Compound File (starting with "D0CF11E0").
For example, files from MS Office 2007+ (Word, Excel, PowerPoint) may contain VBA macros. The macros are stored in a file named vbaProject.bin inside the MS Office file itself, which is a ZIP archive.
The problem is that vbaProject.bin is also a Compound File, just like FPX. But the streams inside are different.
So I think ExifTool should be able to distinguish FPX files by checking if they actually contain FPX-specific streams and data.
When it's not an actual FPX file, it should report that it is an unkown compound file.

1) Your system type: Windows 10
2) The ExifTool version you are using: 11.65
3) The specific command line you are using: "exiftool(-k).exe" vbaProject.bin
4) The console output from the command:

"exiftool(-k).exe" vbaProject.bin
ExifTool Version Number         : 11.65
File Name                       : vbaProject.bin
Directory                       : .
File Size                       : 7.5 kB
File Modification Date/Time     : 1979:12:31 23:00:00+01:00
File Access Date/Time           : 2019:09:25 22:08:05+02:00
File Creation Date/Time         : 2019:09:25 22:08:05+02:00
File Permissions                : rw-rw-rw-
File Type                       : FPX
File Type Extension             : fpx
MIME Type                       : image/vnd.fpx


5) It is often useful to attach a sample image which exhibits the problem: see attached vbaProject.bin

Thank you.

Phil Harvey

#1
September 26, 2019, 07:15:45 AM
Historically, any unrecognized compound file is reported as being a FlashPix file.  This is because FlashPix is the first compound file format supported by ExifTool. 

I could perhaps implement your suggestion, but it would be some work for not much gain.  FlashPix is essentially a dead format, so you can assume that anything identified as FlashPix is just an unknown compound file.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

decalage

#2
September 26, 2019, 07:29:31 AM
OK, I fully understand it would be too much work for little benefit.

Maybe a simple solution would just be to report file type as "FPX or unknown compound file"?

This is just to avoid people incorrectly classifying files as FPX when they rely on ExifTool.
For the context, I noticed the issue when I read this article which mentions malicious macros stored in FPX files within Office documents, which sounded strange to me:
https://blog.prevailion.com/2019/09/autumn-aperture-report.html
And the answer:
https://twitter.com/dadamitis/status/1176892684356726784

Phil Harvey

#3
September 26, 2019, 08:22:30 AM
For now, I've just added this to the FlashPix Tags documentation:

Note that ExifTool identifies any unrecognized Windows Compound Binary file as a FlashPix (FPX) file.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).
Print
Go Up Pages1
User actions