Injection in ‘Export to Spreadsheet’ functionality

Comma separated vulnerability also known as Formula Injection/csv injection.

Introduction:

This document demonstrates the CSV injection a technique for exploiting “Export to Spreadsheet” functionality. While working on some project, I have found this vulnerability in one of the Microsoft’s product i.e.

CRM – Customer Relationship Management

What is CRM? :

It is a product by Microsoft, use to manage and analyze customer interactions and data throughout the customer lifecycle, with the goal of improving business relationships with customers.
Further section will be having the detail analysis of csv injection.

Description:

Many web applications offer spreadsheet export functionality, this allows an adversary to turn a field into active malicious code so when a victim downloads the csv file and opens it, the malicious code get executed.
This is possible when a web application does not properly validate the input fields, an adversary can insert some malicious code through invalidated input fields. The resulting spreadsheet’s cell thus contains the malicious code. By export functionality, the user can download the .csv or .xls file. This is inherently risky, because any cell started by “=” is interpreted as a formula by the spreadsheet.

Impact:

Successful exploitation will allow an attacker to execute arbitrary code with the privilege of currently logged in user of the system causing serious damage to the victim’s system like an entire partition can be wiped out or create backdoors as well for later access. Many other attacks are possible depending upon the creativity of the attacker.

Exploitation Steps:

I. Login with valid user credential and Inject malicious command (=cmd|’ /C calc’!A0) in user’s “Full name” input field

II. Now create a lead and owner will be the “Full name” of user

III. Lead saved successfully with malicious code (=cmd|’ /C calc’!A0) under Owner field

IV. When victim downloads the excel file, malicious code get executed successfully on victim’s system.

3 Comments

  1. It is not a bug of CRM web application, but a known and accepted issue/functionality in MS Excel application. It would be hard for CRM web application to sanitize inputs for Excel formulas. They may implement some workaround, like adding an apostrophe (‘) to the cell data starting with equal (=) sign, but it will tamper the CSV data.

    I believe, MS-excel would have been giving a “macro” warning prompt while opening the CSV file?

    Thanks
    Vaibhav

    • CRM can sanitize the input by applying proper validation to the input fields. As you can see in screen shot, code is injected in the Username field, it is not hard for CRM to sanitize at least the mandatory field by applying proper validation. And also by adding an apostrophe (‘) to the cell will suffice, it will read the data in cell as a text instead of executing a formula.
      Yes, MS-excel gives “macro” warning, but there is a major chances that user will click yes because file is being downloaded from trusted server of Microsoft. and yeah it was an accepted issue by ‘OpenOffice’ (older version) as the command is executed before the warning is displayed. But in excel it is a functionality not an issue, so it needs to be handle on application level.

      Thanks
      Akshay

  2. I agree that CRM can sanitize the input. But that will corrupt/change the CSV contents which may be not be accepted functionality.

    Also, how will you distinguish a valid content from a malicious input? Adding apostrophe (‘) to every cell data starting with a “=” sign may change the CSV contents on legit cases. It would be visibly same in Excel, but if the CSV is parsed by any other program, this solution may break.

    Thanks
    Vaibhav

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.