Zaption: CSV Excel Macro Injection in Export Response

2015-09-25T09:56:40
ID H1:90415
Type hackerone
Reporter alyssa_herrera
Modified 2015-10-01T18:05:37

Description

Scenario: An attacker creates a response like =AND(2>1) in a tour that allows open response or discussion. Then when a user who created this tour clicks analytic and clicks to export responses as csv, he will see TRUE instead of =AND(1>2) Meaning that cell is now active, and an attacker could make a response using a malicious function to execute malware on a team member's pc. Since functions aren't escaped, the possibilities of using this can be limitless and can cause a severe impact. One example is having it execute malware on staff's computer as seen below, leveraging cmd to execute commands.

Crude Poc for executing cmd use -2+3+cmd|' /C calc'!D2 and could execute malicious commands through CMD. D2 is the cell it's located in.

This can be adapted to other spread sheet views like Libre as well Although excel has a feature to block this by tell a user that it wants to execute an external script, the team member would believe it's a trusted file coming from a trusted website and you will have a very high chance of this being executed. Seeing that it's generated by your site, they may believe it's an enhance functionality of it to stream line data viewing.

Best way to mitigate this vulnerability is if you append ' to the list of triggers, = , + , - Excel will ignore the ' and just show ='AND(2>1) instead

Source: https://www.owasp.org/index.php/CSV_Excel_Macro_Injection