Comma separated vulnerability also known as Formula Injection/csv injection.
Introduction:
This document demonstrates the CSV injection a technique for exploiting “Export to Spreadsheet” functionality. While working on some project, I have found this vulnerability in one of the Microsoft’s product i.e.
CRM – Customer Relationship Management
What is CRM? :
It is a product by Microsoft, use to manage and analyze customer interactions and data throughout the customer lifecycle, with the goal of improving business relationships with customers.
Further section will be having the detail analysis of csv injection.
Description:
Many web applications offer spreadsheet export functionality, this allows an adversary to turn a field into active malicious code so when a victim downloads the csv file and opens it, the malicious code get executed.
This is possible when a web application does not properly validate the input fields, an adversary can insert some malicious code through invalidated input fields. The resulting spreadsheet’s cell thus contains the malicious code. By export functionality, the user can download the .csv or .xls file. This is inherently risky, because any cell started by “=” is interpreted as a formula by the spreadsheet.
Impact:
Successful exploitation will allow an attacker to execute arbitrary code with the privilege of currently logged in user of the system causing serious damage to the victim’s system like an entire partition can be wiped out or create backdoors as well for later access. Many other attacks are possible depending upon the creativity of the attacker.
Exploitation Steps:
I. Login with valid user credential and Inject malicious command (=cmd|’ /C calc’!A0) in user’s “Full name” input field
II. Now create a lead and owner will be the “Full name” of user
III. Lead saved successfully with malicious code (=cmd|’ /C calc’!A0) under Owner field
IV. When victim downloads the excel file, malicious code get executed successfully on victim’s system.
