CSV Excel Macro Injection Vulnerability in export customer tickets

From Hackipedia
Jump to: navigation, search
Hackerone #90131
Target: Zendesk
Target Module:
Type: RCE
Payload:
-2+3+cmd|' /C calc'!E1
Original: Link
CVE:
Archive Screenshot

Applications that allow a CSV export of data may be subject to a CSV macro injection attack. A malicious use inserts data that will appear in a spread sheet cell as a macro attack. To test you can do simple checks like

=AND(2>1) or

=1+1

to see if the how the application handles the output.

A more malicious attack can then be tried: -2+3+cmd|' /C calc'!E1 This has the purpose of opening calc.exe.

This is an easy bug to find and to work with, but it isn't often that a company is willing to pay much for it, be sure to check exclusion lists before spending much time on it.

How To Perform

  1. Have a CSV reader (openoffice)
  2. Place calc.exe at C:\ for ease of testing
  3. Insert simple calculations =1+1 at different data points to see how they are exported
  4. Try different macros to get calc.exe to open as a good POC