Web servers are vulnerable to spreadsheet-based attacks, new research indicates

The humble spreadsheet document has long been renowned for presenting a litany of security risks to users and enterprises.

So-called formula injection attacks, first documented back in 2014, exploit the ‘Export to Spreadsheet’ functionality in certain web applications.

Here, specially crafted input can enable an attacker to gain access to sensitive datasets or, even worse, inject malicious payloads to completely compromise a user’s device.

While client-side formula injection attacks remain a sticking point for security-focused web app developers, newly published research indicates that this attack vector is presenting a growing risk to servers.

A report published last week by Jake Miller, security associate at Bishop Fox, details two distinct server-side attacks based on CSV injection.

In the first instance, Miller found that by injecting a formula payload into his client’s G-Suite integrated application, he was able to receive live-streaming updates from the exported Google Sheets document.

While Miller’s discovery led him to urge users to “exercise caution when opening software-generated documents in Google Sheets”, his second formula injection exploit has much wider security implications, as it can be leveraged to achieve remote code execution.

“We identified two applications that were vulnerable to remote code execution via formula injection,” he explained.

“Both of these web applications converted uploaded XLS/CSV documents into image documents during the upload process. This conversion relied on instrumenting the Excel software on a Windows-based host.”

After uploading a spreadsheet with the formula =NOW(), the security specialist found that the current timestamp was returned, confirming that the formulas were being interpreted in real-time.

Armed with this information, Miller attempted leverage the traditionally client-side Dynamic Data Exchange (DDE) attack as a server-side attack using Metasploit’s exploit/multi/script/web_delivery payload.

After successfully obtaining a shell, he used the EC2 metadata URL to leverage the machine’s identity to gain control of assets throughout the cloud environment.

Interestingly, this wasn’t the only example provided by Miller of successful machine compromise using server-side formula injection.

A second instance relates to an application which had TCP egress protection on its document conversion server.

In this case, the Metasploit payload failed to execute, but Miller was able to leverage a DNS shell through formula injection by chaining the attack with PowerShell and DDE.

Miller understandably did not reveal the name of the application tested, but he said these flaws show an “emerging class of client-side vulnerabilities that are manifesting as server-side vulnerabilities”.

“As we continue to rely on SaaS and delegate tasks such as Office document file conversion away from the desktop environment, we can expect to see more client-side vulnerabilities emerge in server-side attack surface,” he concluded.