[unisog] Anyone got a script that will detect bad excel files?

Paul FM paulfm at me.umn.edu
Wed Jun 21 15:16:26 GMT 2006


Any unregistered file type (like files with no extension) will be checked by 
explorer/Internet Explorer to see if it has the magic header for an excel 
file (or any office document type) and will open in excel if it is an excel 
file (this stupid ability is to help people moving office documents from old 
macs).  I would use file to determine if the file is an office document.  I 
believe explorer has other file types it can determine automatically if they 
are not registered types in the system (media files, image files, etc).


Michael Holstein wrote:
> The vulnerability lies in the ability to embed an "auto-launch" program 
> within the file (this was probably intended to have some cutsie flash 
> thing popup when you opened a spreadsheet).
> 
> I'll play with it more later, but after doing several forensic 
> recoveries of excel documents using a hex editor, all you'd need to do 
> is find the field marker for that type of action and do a regex match on it.
> 
> /mike.
> 
> PS: note that not just .xls could be infected .. among other things, 
> Excel considers *.xl* to be a valid excel file)
> 
> Russell Fulton - ISO wrote:
>> Hi,
>> 	Like many of you we run Amavisd to do spam detection.  It has the
>> ability to start scripts under some conditions (like when there is an
>> excel file as an attachment) passing the directory containing all the
>> attachments to the script.  We thought that this would be a good way of
>> flagging suspect excel attachments.
>>
>> Russell
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list