Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAlyssa_herreraH1:90274
HistorySep 24, 2015 - 5:20 a.m.

Zendesk: CSV Excel Macro Injection Vulnerability in export chat logs

2015-09-2405:20:48
alyssa_herrera
hackerone.com
109
JSON

Scenario: An attacker creates a name as =AND(2>1) with a fake email and with random text in the message body. This is similar to a vulnerability recently found in zendesk.com as well. When a team member clicks export as csv and opens it instead of seeing =AND(2>1) they see TRUE. Meaning that cell is now active, and an attacker could make a chat request using a malicious function to execute malware on a team member’s pc.

Since functions aren’t escaped, the possibilities of using this can be limitless and can cause a severe impact. One example is having it execute malware on staff’s computer as seen below, leveraging cmd to execute commands.

Crude Poc for executing cmd
use -2+3+cmd|’ /C calc’!E1 and could execute malicious commands through CMD.
E1 is the cell it’s located in.

Although excel has a feature to block this by tell a user that it wants to execute an external script, the team member would believe it’s a trusted file coming from a trusted and have a high chance of this being executed. Seeing that it’s generated by your site, they may believe it’s an enhance functionalist of it to stream line, support.

Best way to mitigate this vulnerability is if you append ’ to the list of triggers, = , + , - Excel will ignore the ’ and just show ='AND(2>1) instead

Sources: https://www.owasp.org/index.php/CSV_Excel_Macro_Injection

JSON