Comma Separated Vulnerability (CSV) or in my own words client
side command injection. Is an attack technique, where attacker exploit
“Download as a CSV” functionality in web applications, and execute any system
commands in victim’s system.
Today’s modern web applications offers multiple options for bulk
import/export of data like Comma-Separated Text, Microsoft Excel, XML,
Tab-Separated Text, FileMaker Pro, HTML Table . This exploit comes into picture
when application support CSV file export without having proper sanitization in
place. CSV is a simple file format used to store tabular data, such as a
spreadsheet or database. Files in the CSV format can be imported to and
exported from programs that store data in tables, such as Microsoft Excel or
OpenOffice Calc. Usually the resulting spreadsheet or database cell often
contain input from untrusted sources such as customer feedback, contact
addresses, comments.
When any cells in the spreadsheet starts with the ‘=’ character
will be interpreted as formulae, hence malicious input from untrusted source
became risky. E.g. organization allow admin to export the contact address of
customers who shows interest for their product and share their address for
future communication. In this scenario, if a malicious customer post their
contact address as following:
=cmd|' /C shutdown –s –f'!A0
When the administrator will download, and open the recent
spreadsheet it will show the below messages, this pop message is displayed by
Microsoft Office as something is fishy. But usually this kind of pop message
appears when you open micro enabled excel as well. So, in this case if the admin
will just ignore these messages and press Enable and Yes to proceed, then the
file will get open and the above command will get executed, which will shut
down the system, instead system shut down attacker can execute any command of
his choice (delete files, format drive, create user, etc.).
No comments:
Post a Comment