[unisog] Anyone got a script that will detect bad excel files?

Russell Fulton r.fulton at auckland.ac.nz
Wed Jun 21 17:58:27 GMT 2006



Michael Holstein wrote:
> The vulnerability lies in the ability to embed an "auto-launch" program 
> within the file (this was probably intended to have some cutsie flash 
> thing popup when you opened a spreadsheet).
> 
> I'll play with it more later, but after doing several forensic 
> recoveries of excel documents using a hex editor, all you'd need to do 
> is find the field marker for that type of action and do a regex match on it.

Thanks Mike!  I'll do some googling on parsing excel files...  Anyone
know of and useful docs?

> 
> /mike.
> 
> PS: note that not just .xls could be infected .. among other things, 
> Excel considers *.xl* to be a valid excel file)
> 
That's right, we use unix 'file' command to decide what type of file it is.

Russell.


More information about the unisog mailing list