CSV Excel Macro Injection Vulnerability in export customer tickets
-2+3+cmd|' /C calc'!E1
Applications that allow a CSV export of data may be subject to a CSV macro injection attack. A malicious use inserts data that will appear in a spread sheet cell as a macro attack. To test you can do simple checks like
to see if the how the application handles the output.
A more malicious attack can then be tried: -2+3+cmd|' /C calc'!E1 This has the purpose of opening calc.exe.
This is an easy bug to find and to work with, but it isn't often that a company is willing to pay much for it, be sure to check exclusion lists before spending much time on it.
How To Perform
- Have a CSV reader (openoffice)
- Place calc.exe at C:\ for ease of testing
- Insert simple calculations =1+1 at different data points to see how they are exported
- Try different macros to get calc.exe to open as a good POC