I calc'd Calc - Exploiting Excel Online

Conference:  BlackHat USA 2020



The presentation discusses the process of finding vulnerabilities in Excel Online and the potential for exploiting its formulas. It also touches on the limitations of detection capabilities and the rarity of one-shot exploits.
  • Excel Online is a server running in an IS server that contains most of Excel desktop core functionalities, making it vulnerable to bugs affecting desktop Excel
  • Finding a bug in Excel Online requires careful consideration of mitigations and the type of bug being sought
  • Excel formulas offer potential for exploitation, as they contain functions similar to those found in JavaScript
  • One-shot exploits that bypass all mitigations are rare, with most exploits targeting web browsers or kernel APIs
  • Detection capabilities for deeply malicious Excel formulas are limited
The speaker shares their experience of exploiting Excel in their previous job and their curiosity to see if they could find a bug in Excel Online using Microsoft resources. They also mention the rarity of one-shot exploits and give an example of Chris Evans' exploit targeting an image format that bypassed all mitigations.


The Microsoft Security Response Center has a unique position in monitoring exploits in the wild. While we have seen several cases in the past years of exploits targeting Office applications, often PowerPoint or Word, exploits targeting online applications are less common. Are they only possible? And in which case, how would one attack the Office Web Application server (WAC)? Can a malicious document be used? How hard would that be, how much time would it take? This is the story of a project realized during summer 2018 to try to answer these questions with Excel Online. This short presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018-8331) and how one could chain Excel formulas together to get RCE on the server. This talk will detail the research from scratch up to showing a demo of the exploit against Excel OnPrem.