How I created a backdoor in a system exploiting CSV functionality of an Application by performing Formula Injection…!!

Ohkay…!! Firstly let me tell you in short that what this is all about, so that it gets easier for you to understand the scenario and the exploit.

So what’s CSV?

In computing, a comma-separated values (CSV) file is a delimited text file that uses a comma to separate values. A CSV file stores tabular data (numbers and text) in plain text. Each line of the file is a data record. Each record consists of one or more fields, separated by commas. The use of the comma as a field separator is the source of the name for this file format.
[So bookish right? Basically I did a copy paste from wiki. So, let me get it straight csv is basically a file type where you can store your data in tabular format, it has lots of other features as well (you can google for that).]

Now about the vulnerability, what is“Formula Injection”?

Nowadays, there are many web application and frameworks being developed which allow users to export the data saved in database into a csv file. The csv file created might lead to CSV or Formula injection. So it becomes very important to be sure that the file exported through the web application is safe and will not leave the users system prone to any attack.
CSV Injection aka Formula Injection. It occurs when websites embed un-trusted user input inside CSV files without validating. When the user tries to open the CSV file using any spreadsheet program such as Microsoft Excel or LibreOffice Calc, any cells starting with ‘=’ will be interpreted by the software as a formula. So, this is it in-spite of executing any formula if I am able to communicate with the OS itself I would be able to perform any malicious activities that I want. Now, let’s move to the POC and let’s find out how it will be possible.

Steps to Follow:

First of all you’ll need an application which is having data input functionality and then exporting the data into csv file feature. Let’s start then:

Step 1:

Log in to the application using valid admin credential, now navigate to the tab where you’ll be able to add new data, for my application I have navigated to add a new device:
Login and navigate to add data into the application

Step 2:

Fill-up all the required fields with the following command, and click on “Ok”:
=cmd|’ /C calc’!A0
This command will basically ask the OS to open a calculator using command prompt into the victims machine.
Placing the basic command in the input box

Step 3:

Now, the inserted command (i.e. new device information) reflects in the list, as shown below.
Placing the basic command in the input box

Step 4:

Now, click on Export tab, post which complete data will get exported in your system as CSV file, as shown in the screenshot .
The Name shows the command

Step 5:

Now, when the csv file opens, it prompts some warnings click on “Enable” and “Yes” respectively, post that the command gets executed and a calculator opens up, as shown in the screenshots.
hurrah the calculator has opened
So, this is the method by which you can validate the formula injection vulnerability.
Now, let’s dig in a bit more, let’s try and create a backdoor using the same technique. So, for that all we need is to modify the command a bit. So, in-place of =cmd|’ /C calc’!A0 we will insert following two commands in it
=cmd|’ /C echo\net user <username> <password>/add>xy.bat&echo\net localgroup administrators <username>/add>>xy.bat’!A0
=cmd|’ /C xy.bat’!A0
Basically this command firstly opens up command prompt and creates a local administrator with your desired credentials in the victims system. To make this happen easily we have created a bat file and executed the same.
Following screenshots will give you more idea about it.

Easy right? Now, let me quickly tell you the probable fix for this vulnerability.

Mitigation:

Mitigation mechanisms range from adding characters such as a single tick ‘ or a space before cells starting with an equals character = to HTMLEncoding special characters. However, consideration should be given to not break a legitimate user’s input-integrity.

That’s all folks for now, hopefully this article gives you a good understanding of Formula Injection vulnerability and how to proceed with it. If you would like to add any more useful information or have any doubts please feel free to comment. Happy learning.