[unisog] Anyone got a script that will detect bad excel files?
michael.holstein at csuohio.edu
Wed Jun 21 13:49:23 GMT 2006
The vulnerability lies in the ability to embed an "auto-launch" program
within the file (this was probably intended to have some cutsie flash
thing popup when you opened a spreadsheet).
I'll play with it more later, but after doing several forensic
recoveries of excel documents using a hex editor, all you'd need to do
is find the field marker for that type of action and do a regex match on it.
PS: note that not just .xls could be infected .. among other things,
Excel considers *.xl* to be a valid excel file)
Russell Fulton - ISO wrote:
> Like many of you we run Amavisd to do spam detection. It has the
> ability to start scripts under some conditions (like when there is an
> excel file as an attachment) passing the directory containing all the
> attachments to the script. We thought that this would be a good way of
> flagging suspect excel attachments.
More information about the unisog