MNDT-2023-0019.md

MNDT-2023-0019

Description

Arbitrary Code Execution (ACE) vulnerability in Spreadsheet::ParseExcel version 0.65

CVE ID

CVE-2023-7101

CWE

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Affected

• Version 0.65 of Spreadsheet::ParseExcel - https://metacpan.org/pod/Spreadsheet::ParseExcel
• Products that depend upon and use Spreadsheet::ParseExcel, such as Spreadsheet::ParseXLSX (https://metacpan.org/pod/Spreadsheet::ParseXLSX)

Impact

High - Arbitrary Code Execution. If parsing documents provided by a remote machine, this could result in Remote Code Execution (RCE).

Exploitability

High - Attackers can exploit this vulnerability by using specially crafted Number format strings within XLS and XLSX files, triggering the execution of arbitrary code during the parsing process.

Technical Details

Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Resolution

Not currenty patched

Discovery Credits

• Le Dinh Hai (https://github.com/haile01/perl_spreadsheet_excel_rce_poc/tree/main)
• Barracuda Networks Inc.

References

• CVE.org CVE-2023-7101
• ParseExcel Library
• ParseExcel RCE PoC on Github
• Vulnerable Code in ParseExcel on Github