CSV Injection
What is CSV Injection?
CSV also knows as Comma Separated Value stores tabular data (numbers and text) in plain text. Each record consists of one or more fields, separated by comma.
CSV Injection also called Formula Injection occurs when websites embed untrusted user input inside CSV files without validating. When the user tries to open the CSV file using any spreadsheet program such as Microsoft Excel or LibreOffice Calc, any cells starting with ‘=’ will be interpreted by the software as a formula.
Example: We can add the values of two cells with the =A1+A2 formula. It simply adds the value given in A1 and A2 cell and display it in the third field.
How does this formulas create a threat to the target systems?
Every time the CSV file is opened in Excel, the formulas that start with “=” are parsed and processed before any text is shown to the user.
Any system function call or malicious payload that can exploit the victim’s system or leak the data from the file to the attacker could be present in the formula injected into the CSV.
How command execution is possible through CSV injection?
Excel provide us with the functionality DDE (Dynamic Data Exchange), where attacker can execute application commands on the Excel window.
Payload to open calculator in remote host DDE ("cmd";"/C calc";"!A0")A0
Payload to open notepad application in remote host =cmd|’ /C notepad’!’A1′
Impact:
- Exploiting security flaws in spreadsheet software like CVE-2014–3524 or the user’s tendency to ignore security alerts in spreadsheets they downloaded from their own website to take control of the user’s computer.
2. Collecting information from an open spreadsheet or other spreadsheets.
💥Attack Scenario:
The target application has functionality to log employee login and logout times. It logs the user’s first name, last name, and time. Reports section has the functionality to export user data as a CSV file.
- Attacker observed that user controlled fields such as First Name, Last Name is reflected in the CSV file.
- We add basic CSV formula in the first name and last name fields i.e =sum(1+1) & =sum(1+2) which return the sum of number in the resultant field in CSV file.
3. Go to reports section when import data in CSV file format. We can see the output of CSV injection payload i.e. 2 and 3 is reflecting inside the CSV.
4. Now we are assured that CSV injection is working on the target.
5. Attacker can do command execution on target system, with command execution attacker can run server or execute command in command prompt. We have executed command to open calculator in the target system with the Dde (“Cmd”;”/C Calc”;”!A0")A0 payload .
6. CSV injection command execution to popup the notepad application with the =SUM(1+1)”Cmd|’/C Notepad’!A0 payload.
Remediation:
This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
- Equals to (“=”)
- Plus (“+”)
- Minus (“-”)
- At (“@”)
The developers can add apostrophe (‘) in the beginning of the cell containing such characters. Adding apostrophe (‘) tells excel that the cell doesn’t contain formula and on viewing the MS Excel do not display apostrophe (‘) when entered as first character in the cell.
References:
