View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002096||libextractor||plugins||public||2012-01-21 17:57||2012-01-26 20:37|
|Reporter||Christian Grothoff||Assigned To|
|Product Version||current SVN|
|Summary||0002096: extract user name from file protection records in MS office formats|
|Description||Section 4.19 says something about a user name for write access in Excel documents (see attached file). This would be something useful to extract (as well as the rest of the access permission information).|
|Tags||No tags attached.|
excelfileformat.pdf (1,196,627 bytes)
Also of interest are the 220.127.116.11 OLE Property sets (in [MS-OSHARED].pdf in the zip file from the page linked above). We might be getting some of those already, couldn't hurt to double-check though. The following subsections (up to 18.104.22.168.3.2) are also interesting.
22.214.171.124.1 PropertySetSystemIdentifier might also give a bit of information (OS).
I wonder if the applicationCIsid in the DocumentSummaryInfoStream (page 146 in the above-mentioned document) is really always all-zeros, or if there is a unique identifier for the Office installation in there. We should check...
would seem to give a way to find the CISID of locally installed apps. Given that bit pattern, we could then just check if a file created on the system contains the pattern at all (this might depend on the specific Office version, maybe only older versions used this?).
|2012-01-21 17:57||Christian Grothoff||New Issue|
|2012-01-21 17:57||Christian Grothoff||File Added: excelfileformat.pdf|
|2012-01-21 18:28||Christian Grothoff||Note Added: 0005331|
|2012-01-21 19:34||Christian Grothoff||Note Added: 0005332|
|2012-01-21 19:37||Christian Grothoff||Note Edited: 0005332|
|2012-01-21 19:39||Christian Grothoff||Note Edited: 0005332|
|2012-01-21 19:42||Christian Grothoff||Note Added: 0005333|
|2012-01-21 19:45||Christian Grothoff||Note Edited: 0005333|
|2012-01-26 20:37||Christian Grothoff||Severity||block => feature|