Summary

The potential for formula injection exists in Ghostwriter's Excel xlsx report generation function.

Impact

This can be abused to achieve remote code execution on a victim's system. Anyone that could export the Excel and enable Dynamic Data Exchange (DDE) can be affected.

A malicious user can insert an Excel formula into a finding field (e.g., =cmd|' /C cal'!'A1') and execute that formula in the resulting Excel workbook. Newer versions of Excel will detect the formula and display a security advisory that requires user interaction to enable formula execution.

Patches

Ghostwriter v3.2.9 resolved this issue by changing the xlsxwriter implementation to write strings only and explicitly disabling writing a string as a formula. As an extra layer of protection, the reporting engine now escapes all command characters written to the Excel workbook with Excel's apostrophe escape character.

Replication Steps

1. Login as any user that could export the xlsx report.
2. Create report and a finding.
3. Inject the payload into any field finding xlsx file (example payload: =cmd|' /C cal'!'A1')
   
4. Submit the finding.
5. Generate the xlsx report.
   
6. Open the file and click Enabled Editing.
   
7. If you use a newer version of Excel, you need to click Enable Content.
   
8. Click Yes to All.
   
9. The Notepad and Calculator will execute if opened on a Windows system.
   

References

• CSV Injection, OWASP, https://owasp.org/www-community/attacks/CSV_Injection