hacking excel online
play

Hacking Excel Online How to exploit Calc Nicolas Joly - @n_joly - PowerPoint PPT Presentation

Oct 08, 2022 •317 likes •558 views

Hacking Excel Online How to exploit Calc Nicolas Joly - @n_joly MSRC Vulnerabilities and Mitigations Team SSTIC June 5 th , 2020 This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS

  1. Hacking Excel Online How to exploit Calc Nicolas Joly - @n_joly MSRC Vulnerabilities and Mitigations Team SSTIC – June 5 th , 2020 This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

  2. Office exploits? • Several in the past years, essentially logic issues • No exploit for memory corruption involving core Office features seen recently • CVE-2015-2545 a bug in the EPS font parser exploited in Word • What about Office Online? • Some issues found in the past • CVE-2016- 3263 found by Mateusz “j00ru” Jurczyk affecting GDI • Uninitialized memory • Triggerable in Office Online

  3. Office Online Server (formerly WAC) Office Online Server (OOS) Exchange – OWA SharePoint

  4. Scope of the project • Is it possible to get an exploit against Office Online? • Where would an attacker go? • Do we need insider knowledge? • How much time would it take? • What would it look like? • What can be done better?

  5. Hacking Excel Online • Xlsrv.dll on the server, ~40mb, using Excel’s core functionalities • A bug affecting Desktop Excel will likely affect Excel Online • How to start? Fuzzing? • In 2019 the MSRC received 50+ cases affecting Excel • Excel has been fuzzed for 20 years • Can we try fuzzing for a limited period of time and hope to find a cool bug? • Running a smart fuzzer on the cloud? • Also what does a “cool bug” look like? • What are we looking for exactly?

  6. No scripting but… No scripting but… Formulas! • Exploiting without interaction? • Uncommon but happens • https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing- exploitation.html • Formulas! • Easy to manipulate/craft a file (XLSX, XLSB, XLS) • Provide interaction with the server • Lots of features (Math, Text, Finance)

  7. No scripting but… Formulas! • How does the average exploit behave? • Set/Get variables => INDIRECT formula for getter, cannot set • Heap spray, allocate strings quickly => REPT formula • If / Switch case statements => IF/IFS/SWITCH formulas • Iterating over arrays => (V/H/X)LOOKUP formulas • Use string routines => MID, SEARCH, REPLACE formulas • Eval() => Unlikely, macros are unsupported, Evaluate() is an embedded macro • Free / allocate objects => ??? • Automatic / manual recalc • For example:

  8. Looking at Excel formulas • Back in 2008, CVE-2008-4019 – Integer Overflow in REPT formula • The vulnerability: REPT(“AAAA”, 1073741825) • 4* 1073741825 = 4*0x40000001 = … = 4 on 32 bits! • Was leading to an exploitable stack overflow • 10 years later? What happened to that bug?

  9. Looking at Excel formulas • CbAllocSafe now checks the parameters • Can we find anything similar? • 3 refs in fnConcatenate?

  10. Looking at Excel formulas • Look at that! • Quick X-Ref on fnConcatenate , what is “TEXTJOIN”?

  11. Looking at Excel formulas: TEXTJOIN • Syntax: • Example:

  12. Looking at Excel formulas: TEXTJOIN • This formula was extended in 2015 to support 3D references • That’s the code in question: • And to trigger: TEXTJOIN ( Sheet2 : Sheet10 !A1:KZB529328 ,TRUE, "AAAA","BBBB","CCCC") • A1:KZB529328 is an array of… 0x100000060 cells • CVE-2018-8574

  13. Exploitation, straightforward? • Three loops to follow, to iterate over sheets, rows and columns: • We’re writing pointers to Strings • No re-entrancy • But the good news is… • We can exit safely! • => controlled overflow

  14. Exploitation, straightforward? • Excel only supports up to 1048576 rows and 16384 columns: • r < 0x100000, c < 0x4000, s (sheets) and c*r*s > 0x100000000 • A1:KZB529328 fits perfectly in there • Since we’re causing an exception, everything is free()’d before fnConcatenate returns: • Integer overflow => heap overflow => use-after-free!

  15. Exploitation, straightforward? • Strings make a great primitive • Excel stores those as SIZE (two bytes) + String • Overwriting the size of a string with a pointer gives read access on the heap • Here’s the plan for an infoleak: • Spray the heap with strings with REPT • Free some strings by using formulas to change a few cells • Allocate our vulnerable buffer in between • Overwrite a string length with a pointer • Read stuff, find some vtable and enjoy! • Here’s why it fails: • CTRL-Z or why UNDO makes things unfriendly!

  16. Exploitation, straightforward? • Making holes in the heap is not trivial • Create lots of actions to fill up the Undo stack? • A possible solution: recalc the workbook • Flush the cache and free everything • Undo not possible afterwards • Complicate the exploit and require user interaction (or script) • Save the file and create additional overhead • Overwriting a length by a pointer can cause read AV • But when it works…

  17. Exploitation, straightforward? • Making holes in the heap is not trivial • Create lots of actions to fill up the Undo stack? • A possible solution: recalc the workbook • Flush the cache and free everything • Undo not possible afterwards • Complicate the exploit and require user interaction (or script) • Save the file and create additional overhead • Overwriting a length by a pointer can cause read AV • But when it works…

  18. Exploitation, straightforward? • Making holes in the heap is not trivial • Create lots of actions to fill up the Undo stack? • A possible solution: recalc the workbook • Flush the cache and free everything • Undo not possible afterwards • Complicate the exploit and require user interaction (or script) • Save the file and create additional overhead • Overwriting a length by a pointer can cause read AV • But when it works…

  19. Exploitation, straightforward? • Leaking was the easy part, but leaking what? • Looked first at all the formulas • Saw nothing using C++ objects or vtables :/ • Looked at Charts • Failed to get a RW primitive :/

  20. Exploitation, straightforward? • Eventually went for the easy way • Leaked a Graph object vtable • Built a ROP to load a library • Major issue: doesn’t scale if we don’t know xlsrv.dll • To trigger, add a Graph, overwrite its vtable and just resize it • Will trigger a vtable call • Didn’t work? • Just retry

  21. Demo

  22. Wrapping up • A cool exploit written for Excel Online • Shows exploits are possible and feasible for Office Online • Two exploitable CVEs uncovered CVE-2018-8331 and CVE-2018-8574 • Would we see the same exploit in the cloud? • Unlikely, holes in the heap are difficult to secure • Raise more questions • Can we do the same on Office Desktop? • What about the other Office applications? • Once on the server, what can we do? THANK YOU

  23. References • Mateusz “j00ru” Jurczyk - Windows Metafiles – PacSec 2016 • https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit- advancing-exploitation.html • CVE-2008-4019 – Integer Overflow in REPT formula • TEXTJOIN function

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
Excel Tips Rachael Wright &amp; Dotti Davidson Excel Terms Knowing the proper names of excel

Excel Tips Rachael Wright &amp; Dotti Davidson Excel Terms Knowing the proper names of excel

Excel Tips Rachael Wright &amp; Dotti Davidson Excel Terms Knowing the proper names of excel elements will help you: Find information on how to use the tools you need Avoid miscommunication Delegate excel based tasks effectively

594 views • 8 slides
Building an online Indonesian dictionary from Word and Excel fjles David Moeljadi Division of

Building an online Indonesian dictionary from Word and Excel fjles David Moeljadi Division of

Building an online Indonesian dictionary from Word and Excel fjles David Moeljadi Division of Linguistics and Multilingual Studies, Nanyang Technological University, Singapore NIE-ELL Postgraduate Conference (PGC), National Institute of

798 views • 31 slides
Introduction to Excel and Visual Basic for Excel Gilbert Ritschard Department of economics,

Introduction to Excel and Visual Basic for Excel Gilbert Ritschard Department of economics,

Excel and Visual Basic for Excel Introduction to Excel and Visual Basic for Excel Gilbert Ritschard Department of economics, University of Geneva http://mephisto.unige.ch Master in International Trading, Commodity Finance and Shipping

690 views • 44 slides
Hacking Online Games Matt Ward &amp; Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward &amp; Paul Jennas II April 22, 2012 Agenda Importance Attack

Hacking Online Games Matt Ward &amp; Paul Jennas II April 22, 2012 Agenda Importance Attack Tree for Cheating On-line Poker Bots Denial of Service Collusion Software Exploits Conclusion Importance Out-of-band market for virtual equipment

1.07k views • 63 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Excel In Extreme Ways Integrating Excel into your development cycle Introduction Andres

Excel In Extreme Ways Integrating Excel into your development cycle Introduction Andres

Excel In Extreme Ways Integrating Excel into your development cycle Introduction Andres Fradkin Data Analyst F&amp;S IT What is Extreme Excel to you? Why should we use Excel Everyone has it, and many people already feel

410 views • 24 slides
1.3 EXCEL to New Heights PACE April 2017 Chad Carter And Bonnie Chisholm Why should I use

1.3 EXCEL to New Heights PACE April 2017 Chad Carter And Bonnie Chisholm Why should I use

1.3 EXCEL to New Heights PACE April 2017 Chad Carter And Bonnie Chisholm Why should I use EXCEL? Excel is a great resource for keeping lists of all kinds. Microsoft Excel is a program that provides worksheets comprised of rows and

539 views • 25 slides
Excel Tutorial 1 Getting Started with Excel Tutorial 2 Formatting a Workbook Tutorial 3

Excel Tutorial 1 Getting Started with Excel Tutorial 2 Formatting a Workbook Tutorial 3

Excel Tutorial 1 Getting Started with Excel Tutorial 2 Formatting a Workbook Tutorial 3 Working with Formulas and Functions COMPREHENSIVE Excel Tutorial 1 Getting Started with Excel COMPREHENSIVE Objectives XP XP Understand

1.18k views • 81 slides
MS EXCEL Utilities THE EXCEL DEMOGRAPHIC Data Management and Building Reports My Boss Said

MS EXCEL Utilities THE EXCEL DEMOGRAPHIC Data Management and Building Reports My Boss Said

MS EXCEL Utilities THE EXCEL DEMOGRAPHIC Data Management and Building Reports My Boss Said So - He will I can type out only see my Balance reports in Sheet even The Excel though I Functions manually add are Just the numbers

390 views • 20 slides
How You Use Excel in Banking This Tutorial: A quick Excel tip that takes &lt;10 minutes to

How You Use Excel in Banking This Tutorial: A quick Excel tip that takes &lt;10 minutes to

How You Use Excel in Banking This Tutorial: A quick Excel tip that takes &lt;10 minutes to set up and will save you hours each week Its a follow-up to the previous tutorial on optimizing PowerPoint shortcuts, and the idea is the same

307 views • 12 slides
Greece Central School District EXCEL II Reconstruction Projects OUTLINE | Greece CSD EXCEL II

Greece Central School District EXCEL II Reconstruction Projects OUTLINE | Greece CSD EXCEL II

9/11/2012 Greece Central School District EXCEL II Reconstruction Projects OUTLINE | Greece CSD EXCEL II 1. Greece CSD EXCEL II, Project Understanding 2. Greece CSD EXCEL II, Phase 1 : Scope 3. Greece CSD EXCEL II, Phase 2 : Scope 4. The

85 views • 4 slides
VXL XL Vince Excel Makes M3 Easy The Challenge The Solution Cloud enabled Excel as

VXL XL Vince Excel Makes M3 Easy The Challenge The Solution Cloud enabled Excel as

VXL XL Vince Excel Makes M3 Easy The Challenge The Solution Cloud enabled Excel as User Interface Security from M3 API Technology Version independent VXL Technical Design M3 PPS101 Purchase Agreement. Open Lines Example PPS100

128 views • 11 slides
STATISTICS FOR ECOLOGISTS USING R AND EXCEL: DATA COLLECTION, EXPLORATION, ANALYSIS AND

STATISTICS FOR ECOLOGISTS USING R AND EXCEL: DATA COLLECTION, EXPLORATION, ANALYSIS AND

STATISTICS FOR ECOLOGISTS USING R AND EXCEL: DATA COLLECTION, EXPLORATION, ANALYSIS AND PRESENTATION READ ONLINE Author: Mark Gardener Number of Pages: 324 pages Published Date: 01 Jan 2012 Publisher: Pelagic Publishing Publication Country:

272 views • 4 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Cyber Security in Smart Grids EE 772 : Smart Grids Prof. S. A. Khaparde Indian Institute of

Cyber Security in Smart Grids EE 772 : Smart Grids Prof. S. A. Khaparde Indian Institute of

Cyber Security in Smart Grids EE 772 : Smart Grids Prof. S. A. Khaparde Indian Institute of Technology Bombay Introduction to Cyber-Physical Systems - Communication between physical devices through a cyber layer - Sensors and Actuators

893 views • 53 slides
Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation

Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation

Large Scale Simulation of Tor: Stream Correlation Attacks Gavin O Gorman Anonymous Networks Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation Attacks Simulation Results Attacks Gavin O

328 views • 20 slides
Re Resilience of of Dep Deployed ed TC TCP to to Bl Blink Attack At Paper written by

Re Resilience of of Dep Deployed ed TC TCP to to Bl Blink Attack At Paper written by

Chair of Connected Mobility TUM Department of Informatics Re Resilience of of Dep Deployed ed TC TCP to to Bl Blink Attack At Paper written by Matthew Luckie Robert Beverly Tiange Wu Naval Postgraduate School University of Waikato

367 views • 11 slides
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim

Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim

Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink , Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom September 28th, 2017 Sliding

581 views • 44 slides
Advanced Scientific Computing with R 4. Plots Michael Hahsler Southern Methodist University

Advanced Scientific Computing with R 4. Plots Michael Hahsler Southern Methodist University

Advanced Scientific Computing with R 4. Plots Michael Hahsler Southern Methodist University February 16, 2014 These slides are largely based on An Introduction to R http://CRAN.R-Project.org/ Michael Hahsler (SMU) Adv. Sci. Comp. with

464 views • 23 slides
UI, Graphics &amp; EFL Carsten Haitzler Principal Engineer Samsung Electronics Korea

UI, Graphics &amp; EFL Carsten Haitzler Principal Engineer Samsung Electronics Korea

UI, Graphics &amp; EFL Carsten Haitzler Principal Engineer Samsung Electronics Korea c.haitzler@samsung.com Founder/Leader Enlightenment / EFL Display System Overview Graphics 4 Graphics Old-School FB In the old days we used the

1.36k views • 47 slides
Blaise NG Key issues in current system Language enhancements Layout Unicode

Blaise NG Key issues in current system Language enhancements Layout Unicode

First glimpse Blaise NG Key issues in current system Language enhancements Layout Unicode Consequences New parser and IDE New meta files New runtime system (DEP) IDE / Parser Research Platforms Development

441 views • 21 slides
S-Plus workshop 7-9 and 14-16 January students.washington.edu/arnima/s Statistical software

S-Plus workshop 7-9 and 14-16 January students.washington.edu/arnima/s Statistical software

S-Plus workshop 7-9 and 14-16 January students.washington.edu/arnima/s Statistical software User-friendly Excel, SPSS, Statistica Limited statistical and Cant automate tasks graphical functionality Fast and programmable Gauss, Maple,

552 views • 17 slides

More recommend