Anviz AIM CrossChex Standard 4.3 Excel Macro Injection

`  
Anviz AIM CrossChex Standard 4.3 Excel Macro Injection  
  
  
Vendor: Anviz Biometric Technology Co., Ltd.  
Product web page: https://www.anviz.com  
Affected version: 4.3.6.0  
  
Summary: Access Control and Time Attendance Management  
System. Complying with our self-developed fingerprint,  
facial, iris, etc. devices, CrossChex Standard integrates  
intelligent management of time attendance and relevant  
functions of access control. It has been widely used in  
many office buildings and factories across the world,  
continuously serving access control and management  
requests from many companies with stable performance,  
accurate calculation, safe management and high intelligence.  
  
Desc: CSV (XLS) Injection (Excel Macro Injection or Formula  
Injection) exists in the AIM CrossChex 4.3 when importing  
or exporting users using xls Excel file. This can be exploited  
to execute arbitrary commands on the affected system via  
SE attacks when an attacker inserts formula payload in the  
'Name' field when adding a user or using the custom fields  
'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date'  
and 'Address'. Upon importing, the application will launch  
Excel program and execute the malicious macro formula.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2018-5498  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php  
  
  
22.10.2018  
  
--  
  
  
From the menu:  
User -> Add -> use payload: =cmd|' /C mspaint'!L337  
User -> Import / Export: use payload: =cmd|' /C mspaint'!L337  
`