I calc’d Calc — Exploiting Excel Online

Дата: 26.02.2021. Автор: CISO CLUB. Категории: Подкасты и видео по информационной безопасности

The Microsoft Security Response Center has a unique position in monitoring exploits in the wild. While we have seen several cases in the past years of exploits targeting Office applications, often PowerPoint or Word, exploits targeting online applications are less common. Are they only possible? And in which case, how would one attack the Office Web Application server (WAC)? Can a malicious document be used? How hard would that be, how much time would it take?

This is the story of a project realized during summer 2018 to try to answer these questions with Excel Online. This short presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018-8331) and how one could chain Excel formulas together to get RCE on the server.

By Nicolas Joly

Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefings/schedule/#i-calcd-calc—exploiting-excel-online-20379

CISO CLUB

Об авторе CISO CLUB

Редакция портала cisoclub.ru. Добавляйте ваш материал на сайт в разделе "Разместить публикацию".
Читать все записи автора CISO CLUB

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *