Injection attacks in Google Sheets!
Using CSV Injection to exfiltrate data :)
Chances are that you must already have heard or read about CSV Injection or Formula Injction. In that case, I think this post might act as a refresher for you. And if you don’t know about CSV Injection then this post would teach you that. Anyhow, we will see what works and what doesn’t and would use Google Sheets as our guinea pig.
What is CSV Injection?
So I was learning more about different Injection attacks, especially the Export Injection attacks that happen during PDF export on the server side (like during PDF Invoice generation for instance) and while searching for articles on it, CSV Injection results came up a few results and they caught my eye…
So I set out to learn what it is and is it that serious issue or just a FUD!
Ever seen the export to spreadsheet functionality or found yourself working with CSV files. Did you ever thought that the data in those files can actually be much more than just benign text fields.
While rendering CSVs, the incredible beasts like Excel, LibreOffice, Google Sheets, etc. try to not only show the text data but also evaluate the formulas in them.
Open a CSV file, visit any column and enter the following text: =SUM(1336+1)
As soon as you hit enter, the column contains the result:
Ofcourse, you must be thinking, “Gotta need some serious stuff than seeing 1337!!!”
But I hope you atleast get the idea of what CSV Injection is about: The formulas that get executed by the software which can lead to Data Exfiltration or even RCE!
And this is what this post is going to address. I will discuss about a few vectors that you can try to exfiltrate data using CSV Injection!
Data Exfiltration using CSV Injection
As a general trend, all the injection attacks have a common root cause — user data is interpreted as command for the software and this leads to the different injection attacks. In this case — CSV Injection — the formula is the data which the user supplies and it becomes the command for the software (Excel, LibreOffice, Google Sheets, etc.).
So what all can we really do with CSV Injection?
I read a few posts and saw Excel being used to pop up a calculator and execute Windows commands and even saw LibreOffice being used to pull /etc/passwd file, all interesting stuff. But what I was more interested in was Google Sheets, because it is OS independent and there are more chances of people using Google Sheets because of its good integration with other Google products and ease.
And with Google Sheets, the OS Injection stuff already goes out of the window because they won’t allow such easy wins right! Try it if you don’t believe me:
So the formula isn’t parsed — it shows an ERROR!!!
So my next best option was to exfiltrate data out of the sheets and that’s equally good!
So I set out to see if I can exfiltrate data with Google Sheets. And I was just searching all the formulas in Google Sheets itself by seeing the autocomplete results (which were not complete btw and mislead me initially…)
So I typed `=` and then the initial letter (A-Z) and saw the suggestions and after exhausting the list, I wasn’t able to find a single formula that would be good for data exfiltration! So I turned over to twitter and asked more brainy folks about it:
And then I went to read more on it and try out some older payloads that were mentioned in some posts (mentioned in the references below)…
And soon enough when I saw this post:
and tried it out, things worked!
Btw, I think it must have been better to check the documentation initially to avoid wasting my time typing and seeing the possible formulas (lesson learnt haha): https://support.google.com/docs/table/25273?hl=en
So we can see some good candidates already!
IMAGE would load an image and hence sends a request to an external service to load the image file.
Other formulas were IMPORT{DATA|FEED|HTML|XML} ones. HYPERLINK is good too but it requires user-click, so I omitted it.
Other candidates listed above send a request without any user interaction so those were good enough for me!
Plus, if I am exfiltration a data range, and if that data range happens to be updated by the user, then the formula is re-evaluated resulting in exfiltration of the newly added data! And this is good right — realtime data exfiltration :)
Data Exfiltration in action:
Potential Vectors
Now we know about CSV Injection and data exfiltration with some formulas. Let’s see some potential ways of getting the CSVs to the victims.
You might be thinking, “I have seen google forms being integrated with google sheets, that should do the trick!”.
Well, I thought about that myself but it didn’t quite worked.
The form input containing a formula gets prefixed with a single quote when it ends up in the Google Sheet and thus that easy trick didn’t worked!
Btw the quote is not shown in the field, only in the formula:
So the attack failed.
The only other way I could think of was if the user themselves opens a CSV file sent to them via email or exports it to Google Sheets, then these attacks would work, without user knowing if they were even being attacked!
But hey, we don’t allow egress traffic! So we are safe! Or are we?
If you allow DNS resolution, then too this attack works and can get the info out without requiring normal HTTP(S) traffic! Just try requesting for the domains you own and prefix should be the data you want to exfiltrate and voila, you get the data exfiltrated again!
References:
These are some of the noteworthy blogs I drew inspiration from! I highly recommend you to check these out :)
I have intentionally tried to work on something new, so I also learn more and feel challenged everyday!
I hope this post was educational and turned on some lightbulbs inside your brain housing group ;)
I will see you next time with another interesting post. Maybe “PGP (In)Security” up next? Let me know in the comments below :)
Btw if you are enjoying my work and would like to support me, then please check out my Patreon page: https://www.patreon.com/SecurityGOAT
See ya!
Until next time, keep learning and happy hacking :)
