[unisog] Anyone got a script that will detect bad excel files?

Michael Holstein michael.holstein at csuohio.edu
Wed Jun 21 13:49:23 GMT 2006


The vulnerability lies in the ability to embed an "auto-launch" program 
within the file (this was probably intended to have some cutsie flash 
thing popup when you opened a spreadsheet).

I'll play with it more later, but after doing several forensic 
recoveries of excel documents using a hex editor, all you'd need to do 
is find the field marker for that type of action and do a regex match on it.

/mike.

PS: note that not just .xls could be infected .. among other things, 
Excel considers *.xl* to be a valid excel file)

Russell Fulton - ISO wrote:
> Hi,
> 	Like many of you we run Amavisd to do spam detection.  It has the
> ability to start scripts under some conditions (like when there is an
> excel file as an attachment) passing the directory containing all the
> attachments to the script.  We thought that this would be a good way of
> flagging suspect excel attachments.
> 
> Russell


More information about the unisog mailing list