[unisog] Anyone got a script that will detect bad excel files?
r.fulton at auckland.ac.nz
Wed Jun 21 17:58:27 GMT 2006
Michael Holstein wrote:
> The vulnerability lies in the ability to embed an "auto-launch" program
> within the file (this was probably intended to have some cutsie flash
> thing popup when you opened a spreadsheet).
> I'll play with it more later, but after doing several forensic
> recoveries of excel documents using a hex editor, all you'd need to do
> is find the field marker for that type of action and do a regex match on it.
Thanks Mike! I'll do some googling on parsing excel files... Anyone
know of and useful docs?
> PS: note that not just .xls could be infected .. among other things,
> Excel considers *.xl* to be a valid excel file)
That's right, we use unix 'file' command to decide what type of file it is.
More information about the unisog