6

It's known that MS Excel functionality of external references will allow executing arbitrary commands from its formulas with appropriate security warnings and confirmation required from the user.

E.g. having a cell in excel sheet (or csv file opened by excel) that contains the formula =cmd|' /C calc'!A1 will run calc.exe in a manner that can be extended to run arbitrary code.

However, this rises two questions:

  1. Are the details of this functionality documented anywhere? MS Office documentation of external references doesn't do so.

  2. Is there an equivalent construction in Excel for Mac? The particular example doesn't work, but it could as well be because of cmd (and calc) being windows-specific command names; if the external execution is intentional (as those old vulnerabilities haven't been removed but just had the warnings added) it should likely be implemented in Excel for Mac as well.

Anders
  • 64,406
  • 24
  • 178
  • 215
Peteris
  • 8,369
  • 1
  • 26
  • 35

1 Answers1

1

The functionality to run arbitrary code was an intentional feature that Microsoft added. Back when office was released the whole threat molded was different, we did not share files like we do today. And since Microsoft hate to remove features and break backwards comparability we still have to deal whit this.

  1. Are the details of this functionality documented anywhere? MS Office documentation of external references doesn't do so.

=cmd Appears to be badly documented it can't be found in the list Excel functions (alphabetical), however the VB documentation has example code on how to start the calculator Here

  1. Is there an equivalent construction in Excel for Mac? The particular example doesn't work, but it could as well be because of cmd (and calc) being windows-specific command names; if the external execution is intentional (as those old vulnerabilities haven't been removed but just had the warnings added) it should likely be implemented in Excel for Mac as well.

Yes, Office 2011 can run arbitrary code POC, In office 2016 Microsoft added a sandbox but it has had issues: ref

KilledKenny
  • 1,662
  • 4
  • 19
  • 28