A CSV injection in UiPath “Orchestrator” allows malicious users to gain remote control of other computers. By choosing formula code as his username, an attacker can submit files with malicious code to the UiPath platform. Other users might download this data and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user’s PC. The vulnerability was reported as CVE-2018-19855.
We discovered a security issue within the monitoring platform component “Orchestrator” of UiPath, a software for Robotic Process Automation. An attacker can input malicious formula data due to a lack of sufficient input filtering. This allows to attack clients who export the data and open it via tools like Microsoft Excel or LibreOffice Calc. The attacker can now infect users with malware and gain control over their host computers, if the malicious code is executed successfully.#
Steps to Reproduce
Upon creating a new user account, a malicious user is able to put formula code into the "username" field. If this new username is involved in an action on the platform, it is logged and appears in the audit section of “Orchestrator”. Other users can export and download the audit results as a CSV file. If the infected file is opened with Microsoft Excel, the malicious formula code will be executed. In this example, the username "=1+2" was involved in an action. In excel the formula is interpreted and executed by Excel.
This issue exists due to insufficient input filtering. In order to mitigate the issue, we recommend sanitizing user-supplied input before exporting the data as spreadsheet files on the entire platform.
The issue was fixed in release 2018.4.
Credit for finding and reporting the issue: