|
| 1 | +We take security very seriously. |
| 2 | + |
| 3 | +If you believe you have found a security concern, please [file an issue](https://github.com/PowerShellWeb/OpenXML) describing the issue. |
| 4 | + |
| 5 | +Each project may have some special security considerations that you may need to be aware of. |
| 6 | + |
| 7 | +## Special Security Considerations |
| 8 | + |
| 9 | +OpenXML has some fairly unique security considerations. Any tooling for OpenXML will inherit these concerns. |
| 10 | + |
| 11 | +### OpenXML Smuggling |
| 12 | + |
| 13 | +OpenXML files are essentially `.zip` files with a different extension. |
| 14 | + |
| 15 | +As such, there is a grand history of using OpenXML and other archive files to hide exploits. |
| 16 | + |
| 17 | +Additionally, unrecognized content within an OpenXML document is often not displayed in any form of the editor. |
| 18 | + |
| 19 | +It is the opinion of the author that this would be a wonderful thing to flag during load. |
| 20 | + |
| 21 | +If you work on a program that edits OpenXML documents, please strongly consider this. |
| 22 | + |
| 23 | +As it stands, OpenXML smuggling is very easy. |
| 24 | + |
| 25 | +As this module can read and write OpenXML packages, it makes OpenXML smuggling both easier to perform and easier to detect. |
| 26 | + |
| 27 | +If you see this module deployed in unexpected places, please use this module to search for OpenXML smuggled content. |
| 28 | + |
| 29 | +### OpenXML Data Scanning |
| 30 | + |
| 31 | +Word, Excel, and PowerPoint files may all contain personally identifiable information. |
| 32 | + |
| 33 | +Any tool capable of automatically interacting with office documents can be used to scan for sensitive information. |
| 34 | + |
| 35 | +This can help the blue team find targets just as much as the red team. |
| 36 | + |
| 37 | +This is far from the first tool to automate OpenXML, and so this threat is not unique to this tool. |
| 38 | + |
| 39 | +It is always important to mind your PII, and this tool will help you locate this information. |
| 40 | + |
| 41 | +### OpenXML Microservers |
| 42 | + |
| 43 | +OpenXML files also contain content type information, which allows them to act as effecient servers. |
| 44 | + |
| 45 | +This can be quite useful for local multiprogram access and for development of small microservers. |
| 46 | + |
| 47 | +When used to serve an OpenXML document, these microservers may make it easy to exfiltrate information if they are exposed to the broader internet. |
| 48 | + |
| 49 | +If you see a public facing endpoint serving an OpenXML document, contact your network administrator and cybersecurity teams. |
| 50 | + |
| 51 | +Additionally, when combined with the OpenXML Smuggling techniques mentioned earlier, it is possible to host a server with _any_ content inside of an OpenXML file. |
| 52 | + |
| 53 | +Please use this tool to proactively scan for this possibility. |
0 commit comments