Arxes Tolina CSV Injection
A CSV Injection vulnerability in the arxes-tolina web application with version 3.0.0 allows malicious users to gain remote control of other computers. By providing formula code in the “Firma” (company name), an attacker can create a new company with the name variable that contains malicious code. Other users might download this data as a CSV file and execute the malicious commands on their PC by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user’s PC. The vulnerability was reported as CVE-2019-19676.
We discovered a security issue within the arxes-tolina web application with version 3.0.0. It is a software used for performing a credit risk rating of business parties. An attacker can input malicious commands embedded within the formula data of a spreadsheet, due to a lack of sufficient input filtering. This allows users to become compromised should they open the injected spreadsheet that was exported as a CSV file and opened via tools like Microsoft Excel or LibreOffice. The attacker can infect users with malware and gain control over their machine, if the malicious code is executed successfully.
Steps to Reproduce
Upon creating a new company entry, a malicious user is able to enter formula code into the "Firma" field. Users with adequate permissions, could export and download all the existing companies in the database as a CSV file. If the infected CSV file is opened with Microsoft Excel, and the user accepts the warning from Excel that the program "cmd .exe" will be executed upon opening the document, the malicious formula code will be executed. In this example, the value "= cmd|'/ Ccalc'!A0" was used as the company name, for the example proof of concept attack. The formula is then interpreted by Excel and the embedded commands are executed.
Picture 1: Formula injection in the “Firma” field (company name) of a new company entry.
Picture 2: The content of the “Firma” field “=cmd |'/ C calc'!A0” is interpreted and executed by Microsoft Excel.
This issue exists due to insufficient input filtering. In order to mitigate the issue, we recommend sanitizing cells that begin with any special character that may trigger the execution of a formula such as "=", "+", "@" or "-". By prepending a single quote or apostrophe (') character to the field’s content may avoid the content of the cell from being interpreted as a formula.
The issue was reported to arxes-tolina but we are not aware whether a fix has been implemented.
Credit for finding and reporting the issue:
Evgeni Sabev (Deloitte)