XLAM Archives | Outflank

So you think you can block Macros?

Pieter Ceelen | April 25, 2023

For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses.

In the first part of the blog we will discuss various Microsoft Office security controls on macros and add-ins, including their subtleties, pitfalls and offensive bypasses.
In the second part of this blog the concept of LOLdocs is further explained, detailing how vulnerabilities in signed MS Office content might be abused to bypass even strictly configured MS Office installs.

This blog is related to our BruCON talk on LOLdocs: legitimately signed Office documents where control flows can be hijacked for malicious purposes.

Tags: DLL, LOLdocs, Macro, MotW, Office, Phishing, Signing, VBA, XLAM, XLL

Read full post

A phishing document signed by Microsoft – part 2

Dima van de Wouw | January 7, 2022

This is the second part of our blog series in which we walk you through the steps of finding and weaponising other vulnerabilities in Microsoft signed add-ins. Our previous post described how a Microsoft-signed Analysis Toolpak Excel add-in (.XLAM) was vulnerable to code hijacking by loading an attacker controlled XLL via abuse of the RegisterXLL function.

In this post we will dive deep into a second code injection vulnerability in the Analysis Toolpak in relation to the use of the ExecuteExcel4Macro function in a Microsoft-signed Excel add-in. Furthermore, we will show that the Solver add-in is vulnerable to a similar weaknesses with yet another vector. In particular, we will discuss:

Walkthrough of the Analysis Toolpak code injection vulnerability patched by CVE-2021-28449
Exploitation gadgets for practical weaponisation of such a vulnerability
Weakness in Solver Add-in
Our analysis of Microsoft’s patch

Tags: Excel, Excel4, Macro, Office, Phishing, Signing, VBA, WebDAV, XLAM

Read full post

A phishing document signed by Microsoft – part 1

Dima van de Wouw | December 9, 2021

This blog post is part of series of two posts that describe weaknesses in Microsoft Excel that could be leveraged to create malicious phishing documents signed by Microsoft that load arbitrary code.

These weaknesses have been addressed by Microsoft in the following patch: CVE-2021-28449. This patch means that the methods described in this post are no longer applicable to an up-to-date and securely configured MS Office install. However, we will uncover a largely unexplored attack surface of MS Office for further offensive research and will demonstrate practical tradecraft for exploitation.

In this blog post (part 1), we will discuss the following:

The Microsoft Analysis ToolPak Excel and vulnerabilities in XLAM add-ins which are distributed as part of this.
Practical offensive MS Office tradecraft which is useful for weaponizing signed add-ins which contain vulnerabilities,

Tags: Excel, Office, Phishing, Signing, XLAM

Read full post

Archive

Need help right away?Call our emergency number

Need help right away?
Call our emergency number