This is the second part of our blog series in which we walk you through the steps of finding and weaponising other vulnerabilities in Microsoft signed add-ins. Our previous post described how a Microsoft-signed Analysis Toolpak Excel add-in (.XLAM) was vulnerable to code hijacking by loading an attacker controlled XLL via abuse of the RegisterXLL function.
In this post we will dive deep into a second code injection vulnerability in the Analysis Toolpak in relation to the use of the
ExecuteExcel4Macro function in a Microsoft-signed Excel add-in. Furthermore, we will show that the Solver add-in is vulnerable to a similar weaknesses with yet another vector. In particular, we will discuss:
- Walkthrough of the Analysis Toolpak code injection vulnerability patched by CVE-2021-28449
- Exploitation gadgets for practical weaponisation of such a vulnerability
- Weakness in Solver Add-in
- Our analysis of Microsoft’s patch