Detecting Flash

The News - Adobe has a zero day exploit launched from flash embedded in Word or Excel files. Details from ZD Net here.

Wouldn’t it be nice to tell MailMarshal to block office documents with flash embedded in them?

When MailMarshal sees one of these and unpacks the Excel it looks something like this:
938 18:21:12.124   Type=XLS,  size=122741,  Name=Filename.xls
4938 18:21:12.124     Type=EMF,  size=12098940,  Name=Extracted0.emf
No SWF file here, instead there is something called an EMF file. EMF’s are not a container for files, rather they contain COMMANDS to execute and any file is hidden in a EMF_COMMENT field as binary. It’s a pretty odd way of doing it that was probably going to be exploited sooner or later - but I am sure there are very good reasons to do things in convoluted ways.

To detect this we have to look for that specific file type (Excel with Flash), so requires modification of the filetype.cfg library file for custom signatures. The signatures that need to be added are:

46 57 53 - SWFE
43 57 53 - CWSE

This is only a work around as the signatures are very specific. If other in the wild examples are found new signatures would need to be added. Bear in mind the manual nature of keeping this up to date.

Posted by Carlton Duston on 13 Apr 2011 | 0 comments
Tagged with News, Opinion, None

Comments

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

• Node images can be embedded in this post. Format: [image:ID:TYPE:ALIGN:CAPTION]
  TYPE: thumb display logo
  ALIGN: left right center none
  CAPTION: <insert new> desc (image description) none
  Examples: [image:8:thumb:right:none] [image:12:display:none:Sunset]
• You can use Textile markup to format text.
• Adds typographic refinements.

More information about formatting options

4

What code is in the image?: *

Enter the characters shown in the image.