Date : 05 juin 2020 à 11:15 — 30 min.
The Microsoft Security Response Center has a unique position in monitoring exploits in the wild. While we have seen several cases in the past years of exploits targeting Office applications, often PowerPoint or Word, exploits targeting online applications are less common. Are they only possible? And in which case, how would one attack the Office Web Application server (WAC)? Can a malicious document be used? How hard would that be, how much time would it take?
This is the story of a project realized during summer 2018 to try to answer these questions with Excel Online. This presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018-8331) and how one could chain Excel formulas together to get RCE on the server. The talk will detail the research from scratch up to showing a demo of the exploit against Excel OnPrem.