Skip to content

Possible Formula Injection into Excel Workbooks in Ghostwriter <=v3.2.8

Low
chrismaddalena published GHSA-6367-mm8f-96gr Jun 13, 2023

Package

No package listed

Affected versions

< v3.2.9

Patched versions

v3.2.9

Description

Summary

The potential for formula injection exists in Ghostwriter's Excel xlsx report generation function.

Impact

This can be abused to achieve remote code execution on a victim's system. Anyone that could export the Excel and enable Dynamic Data Exchange (DDE) can be affected.

A malicious user can insert an Excel formula into a finding field (e.g., =cmd|' /C cal'!'A1') and execute that formula in the resulting Excel workbook. Newer versions of Excel will detect the formula and display a security advisory that requires user interaction to enable formula execution.

Patches

Ghostwriter v3.2.9 resolved this issue by changing the xlsxwriter implementation to write strings only and explicitly disabling writing a string as a formula. As an extra layer of protection, the reporting engine now escapes all command characters written to the Excel workbook with Excel's apostrophe escape character.

Replication Steps

  1. Login as any user that could export the xlsx report.
  2. Create report and a finding.
  3. Inject the payload into any field finding xlsx file (example payload: =cmd|' /C cal'!'A1')
    image
  4. Submit the finding.
  5. Generate the xlsx report.
    image
  6. Open the file and click Enabled Editing.
    image
  7. If you use a newer version of Excel, you need to click Enable Content.
    image
  8. Click Yes to All.
    image
  9. The Notepad and Calculator will execute if opened on a Windows system.
    image

References

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CVE ID

No known CVE

Weaknesses

Credits