I calc'd Calc - Exploiting Excel Online

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=H3gdiVTnHls


Duration: 41:04
2 views
0

Nicolas Joly | Security Engineer, Microsoft
Date: Thursday, August 6 | 11:00am-11:40am
Format: 40-Minute Briefings
Track: Exploit Development

The Microsoft Security Response Center has a unique position in monitoring exploits in the wild. While we have seen several cases in the past years of exploits targeting Office applications, often PowerPoint or Word, exploits targeting online applications are less common. Are they only possible? And in which case, how would one attack the Office Web Application server (WAC)? Can a malicious document be used? How hard would that be, how much time would it take?

This is the story of a project realized during summer 2018 to try to answer these questions with Excel Online. This short presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018-8331) and how one could chain Excel formulas together to get RCE on the server. This talk will detail the research from scratch up to showing a demo of the exploit against Excel OnPrem.

Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-09Black-Box Laser Fault Injection on a Secure Memory
2022-01-09EdTech- The Ultimate APT
2022-01-09HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges
2022-01-09Making an Impact from India to the Rest of the World by Building & Nurturing Women Infosec Community
2022-01-09Election Security: Securing America's Future
2022-01-09Breaking Brains, Solving Problems: Lessons Learned from Two Years for InfoSec Professionals
2022-01-09Emulating Samsung's Baseband for Security Testing
2022-01-09Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys
2022-01-09Mind Games Using Data to Solve for the Human Element
2022-01-09Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot
2022-01-09I calc'd Calc - Exploiting Excel Online
2022-01-09Engineering Empathy: Adapting Software Engineering Principles and Process to Security
2022-01-09Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets
2022-01-09Breaking VSM by Attacking SecureKernel
2022-01-09Escaping Virtualized Containers
2022-01-09Experimenting with Real Time Event Feeds
2022-01-09My Cloud is APT's Cloud Investigating and Defending Office 365
2022-01-09Building a Vulnerability Disclosure Program that Works for Election Vendors and Hackers
2022-01-09EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks
2022-01-09Exploiting Kernel Races through Taming Thread Interleaving
2022-01-09Needing the DoH: The Ongoing Encryption and Centralization of DNS


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
malware
secure
identity
criminal
phishing
software
access
system
firewall
communication
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Nicolas Joly
microsoft
security response
WAC
fnConcatenate
RCE
Excel