OfficeCat

Officecat Logo

OfficeCat is a command line utility that can be used to process Microsoft Office Documents for the presence of potential exploit conditions in the file.

The tool is used on Windows systems and is provided as a binary executable.

Things needed

  1. Feature requests
  2. Bug reports
  3. Malware
  4. Postcards
  5. Beer

If you use OfficeCat and can help with any of the above items, please send feature requests and bug reports to the Sourcefire VRT at vrt@sourcefire.com. All Postcards and beer can be sent to:
Sourcefire VRT
9780 Patuxent Woods Drive
Columbia, MD 21045 USA

If you have Malware to share, please contact the VRT at the above email address for instructions on how to get it to us.

Thanks for using OfficeCat.

Usage

  1. Unzip the archive
  2. Open a command shell
  3. Execute the tool executable with a document name for checking

Sample results for a vulnerable document are shown below:

C:\>officecat.exe ATest.doc
Sourcefire OFFICE CAT v2
* Microsoft Office File Checker *
Processing ATest.doc
VULNERABLE
        OCID: 5
        CVE-2006-6456
        Type: Word

OfficeCat for Windows

Download (OfficeCat.zip) - 03 Nov, 2010

OfficeCat for Linux

Download (officecat-wine.tgz) - 03 Nov, 2010

Note:
The Linux build of Officecat, is built from our latest internal source tree against wine 0.9.9-0 ubuntu2.


There are some warnings generated by wine's implementation of StgOpenStorageEx during file process, but these do not hamper functionality. These warnings can be safely ignored.
The warnings are sent to STDOUT and look something akin to this:

fixme:storage:StgOpenStorageEx Stub: calling StgOpenStorage, 
but ignoring pStgOptions and grfAttrs

Vulnerabilities Checked by OfficeCat

CVE Entries:

CVE-2006-0001
CVE-2006-1301
CVE-2006-1306
CVE-2006-1308
CVE-2006-1540
CVE-2006-2492
CVE-2006-3014
CVE-2006-3086
CVE-2006-3431
CVE-2006-3432
CVE-2006-3493
CVE-2006-3590
CVE-2006-3656
CVE-2006-3864
CVE-2006-3865
CVE-2006-3875
CVE-2006-3876
CVE-2006-3877
CVE-2006-4534
CVE-2006-4694
CVE-2006-4700
CVE-2006-4701
CVE-2006-5994
CVE-2006-5995
CVE-2006-6456
CVE-2006-6561
CVE-2007-0027
CVE-2007-0030
CVE-2007-0031
CVE-2007-0515
CVE-2007-0671
CVE-2007-1203
CVE-2007-1214
CVE-2007-1756
CVE-2007-3029
CVE-2007-3030
CVE-2008-0081
CVE-2008-0111
CVE-2008-0114
CVE-2008-0115
CVE-2008-0116
CVE-2008-0117
CVE-2008-0118
CVE-2008-0119
CVE-2008-0120
CVE-2008-1088
CVE-2008-2244
CVE-2008-4024
CVE-2008-4026
CVE-2008-4837
CVE-2008-4841