[unisog] Anyone got a script that will detect bad excel files?

Sergent, Phil sergent at marshall.edu
Wed Jun 21 15:18:54 GMT 2006

>From Security Focus:

Microsoft Excel Unspecified Remote Code Execution Vulnerability


Phil Sergent                      Systems  Programmer   
Marshall University  -  Computing Services - Systems
One John Marshall Drive
Drinko Library 422a
Huntington, WV  25755-5320
304/696-3689 (Desk) 
304/634-1725 (Business ONLY Cell)
304/696-3601 (FAX)
Email & MSN Instant Message 
                    Contact: sergent at marshall.edu
"You can't depend on your eyes when your imagination is out of focus." 
Mark Twain

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Michael Holstein
Sent: Wednesday, June 21, 2006 9:49 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Anyone got a script that will detect bad excel

The vulnerability lies in the ability to embed an "auto-launch" program 
within the file (this was probably intended to have some cutsie flash 
thing popup when you opened a spreadsheet).

I'll play with it more later, but after doing several forensic 
recoveries of excel documents using a hex editor, all you'd need to do 
is find the field marker for that type of action and do a regex match on


PS: note that not just .xls could be infected .. among other things, 
Excel considers *.xl* to be a valid excel file)

Russell Fulton - ISO wrote:
> Hi,
> 	Like many of you we run Amavisd to do spam detection.  It has
> ability to start scripts under some conditions (like when there is an
> excel file as an attachment) passing the directory containing all the
> attachments to the script.  We thought that this would be a good way
> flagging suspect excel attachments.
> Russell
unisog mailing list
unisog at lists.sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sergent, Phil.vcf
Type: text/x-vcard
Size: 401 bytes
Desc: Sergent, Phil.vcf
Url : http://www.dshield.org/pipermail/unisog/attachments/20060621/370535f9/attachment.vcf 

More information about the unisog mailing list