Page MenuHomePhabricator

When Excel opens a CSV file, it just runs whatever arbitrary code might be in the file
Closed, ResolvedPublic

Description

I've run into a few mentions of this recently, so here are some notes on it to unambiguously make it previously-known.

If you put =cmd|'evil.exe' in a .csv file and then open it in Excel, it will apparently just run that command. Like, it kinda asks you, but every user will just click "Yes" because users like it when things work and this behavior is crazy.

In the future, Phabricator will be able to generate these files if a task title or description or whatever has =cmd|'evil.exe' at the beginning. Although we currently export only in .xls which I think escapes the fields as "text" (that is, not a formula), we're likely to export in .csv eventually (e.g., T5954). There is apparently (?) no real way to escape fields without mangling the data since Excel is very eager to run arbitrary commands it finds in .csv files.

Excel's behavior seems absurd here, but, e.g., this report is two years old: https://hackerone.com/reports/72785 so it probably isn't going to change any time soon.

When the time comes we can probably do some kind of test + warn + require user to sign in blood + mangle stuff.

Event Timeline

If anyone actually has bona fide Excel.exe installed, you could try opening this file to double check that we're not currently vulnerable:

If that runs calc.exe or prompts you to "update cells" (this is Excel's special way of saying "execute arbitrary untrusted code") this isn't limited to .csv.

Checked on Excel 2016 and it didn't run calc.exe or prompt for "update cells". Also checked on Excel for mac~

Saving this file as csv also doesn't trigger the bug in Excel 2016 - on reopening, Excel misdetects the format as SYLK, warns about the extension not matching, then warns that an error occured during loading, and finally when you agree to continue loading as "a different format", it opens without running calc.exe or prompting to update cells.

It seems an up to date patched Excel 2016 is not vulnerable.

After finding https://support.microsoft.com/en-gb/help/323626/-sylk-file-format-is-not-valid-error-message-when-you-open-file and changing the first cell contents to Task ID instead of ID, the csv file is still opened without calc.exe or cell updating.

Actually, Excel 2016 is vulnerable. The test case is incomplete. The cell needs to be =cmd|'/C evil.exe'!A0 to trigger the issue.
By modifying the value in both the xlsx and csv files, I was able to blindly click yes on lots of warning prompts and start calc.exe. But I am not sure that modifying the value in the xlsx file is giving the same result as the export would (something may have been stripped off in the meantime...)

Here's a version with =cmd|'/C evil.exe'!A0 if that produces different results:

It doesn't try to run evil.exe until I edit the cell (the csv version, and the modified xlsx I saved myself try to start on opening).

This is relevant now that work related to T13049 has added CSV support.

I guess I'll just mangle the data. ¯\_(ツ)_/¯