BruCON 0x0E has ended
Back To Schedule
Thursday, September 29 • 17:00 - 18:00
LOLDocs: Sideloading in Signed Office files

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In recent years companies and Microsoft have increased hardening against malicious Office documents. Hence, we started a quest for unexplored Office features that could be abused for phishing. After various research directions, we identified “code side-loading in signed documents” as an innovative approach for phishing.

We identified vulnerabilities in various Microsoft signed Office add-in’s and believe that there are many more unidentified. For example, the MS Office installation comes with signed Microsoft Analysis ToolPak Excel add-ins (.XLAM file type) which are vulnerable to multiple code injections (CVE-2021-28449). An attacker can abuse the provided file (LOLFile) and embed malicious code without invalidating the signature for use in phishing scenarios.

This presentation will cover the process of finding, exploiting and weaponising this class of vulnerabilities and the complexities in mitigations.

avatar for Pieter Ceelen

Pieter Ceelen

Pieter Ceelen is Red Teamer and Wizard with Word at Outflank.
avatar for Dima van de Wouw

Dima van de Wouw

Dima van de Wouw is Red Teamer and Offensive Developer at Outflank.

Thursday September 29, 2022 17:00 - 18:00 CEST
01. Gouden Carolus