To reproduce the issue:
- download the EICAR test file here
note some AV software may recognize this file as a threat, but it does not contain an actual threat. The excel file contains a DDE external link that launches powershell that prints out a text string. When loading the Workbook, the ExternalLink’s DataSource property shows the following value:
"cmd|/C powershell.exe -NoExit -e ZQBjAGgAbwAgACIAWAA1AE8AIQBQACUAQABBAFAAWwA0AFwAUABaAFgANQA0ACgAUABeACkANwBDAEMAKQA3AH0AYAAkAEUASQBDAEEAUgAtAFMAVABBAE4ARABBAFIARAAtAEEATgBUAEkAVgBJAFIAVQBTAC0AVABFAFMAVAAtAEYASQBMAEUAIQBgACQASAArAEgAKgAiAA==!A0"
the Base64 string is decoded to the following string:
echo "X5O!P%@AP[4\PZX54(P^)7CC)7}`$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!`$H+H*"
- Run the following code:
var wb = new Workbook("eicar-excel-dde-cmd-powershell-echo.xlsx");
var extlink = wb.Worksheets.ExternalLinks[0];
extlink.DataSource = extlink.DataSource.Replace("ZQBjAGgAbwAgACIAWAA1AE8AIQBQACUAQABBAFAAWwA0AFwAUABaAFgANQA0ACgAUABeACkANwBDAEMAKQA3AH0AYAAkAEUASQBDAEEAUgAtAFMAVABBAE4ARABBAFIARAAtAEEATgBUAEkAVgBJAFIAVQBTAC0AVABFAFMAVAAtAEYASQBMAEUAIQBgACQASAArAEgAKgAiAA==", "ZQBjAGgAbwAgACIASABlAGwAbABvACwAIAB3AG8AcgBsAGQAIQAiAA=="); ;
wb.Save("output.xlsx");
The code above attempts to change the original ‘echo’ command, encoded to base64 in the original file, to a different ‘echo’ command that simply echoes “Hello, world!” to the console window.
But actually, after saving the file, output.xlsx has the same ExternalLink as the original input file.
Additionally, debugging the program, stepping over the line that assigns a new value to extlink.DataSource, you can see it stays the same! The setter did not actually set a new value to the DataSource property. This reproduces even if you try to assign a hard-coded string e.g.,
extlink.DataSource = "Hello, World";
@Buffer2018,
I tried downloading your file “eicar-excel-dde-cmd-powershell-echo.xlsx” from the github repos. but I think my antivirus refused to download/keep the file on the system. Anyways, I forcefully downloaded it and tried to open the file into MS Excel manually but MS Excel prompts an error message and did not open the file into it, see the screenshot attached.
sc_shot1.png (73.1 KB)
My excel opens it fine, but regardless of that, did u try executing the code I shared?
@Buffer2018,
My system removed the files (input and output) after some time, even though the code is being processed using Aspose.Cells. Anyways, could you please tell me which version of MS Excel opens your file fine? What settings did you use to make MS Excel open the file without any issues?
- I am using:
Microsoft® Excel® for Microsoft 365 MSO (Version 2401 Build 16.0.17231.20194) 64-bit
- I have created a similar, version of the file that will open a powershell prompt that prints out ‘Hello World’:
eicar_clean.xlsx.zip (5.9 KB)
- The only change I made in excel was not for excel to open the file, but rather for excel to run the action contained inside the file.:
- In Excel, go to File > Options > Trust Center > Trust Center Settings.
- Select the
External Content tab
- Check the
Enable Dynamic Data Exchange Server Launch (not recommended) checkbox.
But again, excel should be able to read the file even without enabling this option.
When you open the file, excel may display several warnings:
First: image.png (21.5 KB)
Then if u click ‘Enable’, it will show this message box:
image.png (17.9 KB)
Then if u click ‘Yes’, it should open a ‘CMD’ window:
image.png (3.4 KB)
@Buffer2018
By using sample files for testing, we can reproduce the issue. Found that external DDE link data source is not replaced. Please refer to the attachment. output_net.zip (7.5 KB)
The sample code as follows:
var wb = new Workbook(filePath + "eicar_clean.xlsx");
var extlink = wb.Worksheets.ExternalLinks[0];
extlink.DataSource = extlink.DataSource.Replace("ZQBjAGgAbwAgACIASABlAGwAbABvACwAIAB3AG8AcgBsAGQAIQAiAA==", "ZQBjAGgAbwAgACIASABlAGwAbABvACwAIAB3AG8AcgBsAGQAIQAiAA22222=="); ;
wb.Save(filePath + "output_net.xlsx");
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.
Issue ID(s): CELLSNET-55121
You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.
@Buffer2018,
This is to inform you that your issue (logged earlier as “CELLSNET-55121” ) has been resolved now. The fix will be included in the upcoming release (Aspose.Cells v24.3) that we plan to release in the first half of March (next month). You will be notified when the next version is released.
1 Like
The issues you have found earlier (filed as CELLSNET-55121) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi