CSV (XLS) Injection (Excel Macro Injection or Formula Injection) exists in the AIM CrossChex version 4.3 when importing or exporting users using xls Excel file. This can be exploited to execute arbitrary commands on the affected system via SE attacks when an attacker inserts formula payload in the Name field when adding a user or using the custom fields Gender, Position, Phone, Birthday, Employ Date and Address. Upon importing, the application will launch Excel program and execute the malicious macro formula.
f17d0ab71ad68426099534dd08d3f455
Anviz AIM CrossChex Standard 4.3 Excel Macro Injection
Vendor: Anviz Biometric Technology Co., Ltd.
Product web page: https://www.anviz.com
Affected version: 4.3.6.0
Summary: Access Control and Time Attendance Management
System. Complying with our self-developed fingerprint,
facial, iris, etc. devices, CrossChex Standard integrates
intelligent management of time attendance and relevant
functions of access control. It has been widely used in
many office buildings and factories across the world,
continuously serving access control and management
requests from many companies with stable performance,
accurate calculation, safe management and high intelligence.
Desc: CSV (XLS) Injection (Excel Macro Injection or Formula
Injection) exists in the AIM CrossChex 4.3 when importing
or exporting users using xls Excel file. This can be exploited
to execute arbitrary commands on the affected system via
SE attacks when an attacker inserts formula payload in the
'Name' field when adding a user or using the custom fields
'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date'
and 'Address'. Upon importing, the application will launch
Excel program and execute the malicious macro formula.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5498
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php
22.10.2018
--
From the menu:
User -> Add -> use payload: =cmd|' /C mspaint'!L337
User -> Import / Export: use payload: =cmd|' /C mspaint'!L337