How I Found 16 Microsoft Office Excel Vulnerabilities in 6 Months
In this talk, I want to share the story of how I discovered 17 Microsoft Office Excel vulnerabilities in half a year. I find these vulnerabilities by fuzzing. I will share why I pick up Microsoft Office Excel as my fuzzing target, and how to build an effective fuzzing framework step by step.
In this talk, I will share the details about how to prepare for excel fuzzing:
How to select fuzzing corups
How to choose and implement mutation algorithm
How to start sample and catch exceptions
How to triage the fuzzing results
How to reproduce the results
How to report vulnerabilities to MSRC
I will also share some problems encountered during the fuzzing process, including:
How to automate clicking the dialog box that appears during the excel fuzzing process
How to effectively clean up the temporary files generated during the fuzzing process to reduce the size of the virtual machine
How to speed up execution by switching between multiple old and lastest Office versions to speed up fuzzing
How to adjust fuzzing strategy to speed up execution
How to manage the results of fuzzing and to store and classify them
With the help of the method described in this talk, after half a year, I reported more than 20 office vulnerabilities to Microsoft, and got 16 CVE acknowledgements from MSRC, including 13 remote code execution vulnerabilities and 3 information disclosure vulnerabilities.