| Item | Comment |
|---|---|
| Software | Microsoft Azure Portal |
| Version | https://portal.azure.com/ |
| Type of Issue | CSV Injection / Formula Injection |
| CWE | https://cwe.mitre.org/data/definitions/1236.html |
| OWASP | https://owasp.org/www-community/attacks/CSV_Injection |
| Roles affected | All |
| CVSS | Medium – 4.4 |
| Credits | Christian Becker from Y-Security |
Summary
Various Azure Active Directory components can be used to export displayed data in CSV format. A few components were identified in which the generated CSV values were found to be properly escaped. However, we also identified components in which data is not correctly escaped and therefore allows CSV Injection/Formula Injection.
The vulnerability can be exploited by different user types and allows inserting data that can then be downloaded from any other user of the tenant. Final exploitation does not happen within Azure Portal, but in software opening/interpreting the CSV file, such as Microsoft Excel or LibreOffice Calc. Additional attack vectors cover inserting false data that when imported, e.g. when re-creating an Active Directory or automatically creating user on a system.
Vulnerability Details
We identified that CSV values are sometimes properly escaped. Therefore, we assume that the intended behavior is that downloaded CSV files should not allow CSV Injection/Formula Injection. The below table lists affected pages and URLs that were found to be accessible with the subscription used for testing. Please note, it is likely that additional injection points exist in the application and we have recommended Microsoft to review all CSV download/export functionalities. The following functions have been accessed:
| Page | Vulnerable to CSV Injection |
|---|---|
| Users | All users (Preview) | Yes |
| Users | Sign-in logs | No – Characters Escaped |
| Users | Audit logs | No – Characters Escaped |
| Users | Bulk operation results | Yes |
| Groups | All groups | Yes |
| Groups | Audit logs | No – Characters Escaped |
| Groups | Bulk operation results | Yes |
| Application administrator | Assignments | Yes |
| Default Directory | Administrative units | Yes |
Steps to reproduce
In the below example we have used a very basic payload, but we should note that it is also possible to execute operating system commands or exfiltrate content from the file . More details about payloads can be found in our previous post about Microsoft Teams – CSV Injection.
Proof of Concept: CSV Injection via User Details
Both admin and non-admin users can download user lists from within the Azure AD Portal (ref). In order to do this, the below steps need to be performed:
- Login to your organization and open the Users | All users (Preview) Blade
- Add a new user and set DisplayName, Firstname or LastName to a formula like “=3+1” (without quotes)
- The newly created user is now visible in the preview
- Click “Bulk operations” and “Download users” (ref) and start the export
- Open “Bulk operations results” and wait for completion
- Download generated CSV file
The generated CSV file would then look like the below showing that =3+1 in line 3 was not properly escaped.
userPrincipalName,displayName,surname,mail,givenName,id,userType,jobTitle,department,accountEnabled,usageLocation,streetAddress,state,country,officeLocation,city,postalCode,telephoneNumber,mobilePhone,alternateEmailAddress,ageGroup,consentProvidedForMinor,legalAgeGroupClassification,companyName,creationType,directorySynced,invitationState,identityIssuer,createdDateTime
MSOBBYSec_outlook.com#EXT#@MSOBBYSecoutlook.onmicrosoft.com,=1+3 MSOBB,MSOBB,,=1+3,7cc0c81b-f2a2-489a-8243-eda96da4214d,Member,,,True,DE,,,,,,,,,MSOBBYSec@outlook.com,,,,,,,,MSOBBYSecoutlook.onmicrosoft.com,8/19/2021 1:25:31 PM
test12345@msobbysecoutlook.onmicrosoft.com,=3+1,=3+1,,=3+1,05f9eb61-470e-426c-b631-6db6bf429063,Member,,,True,,,,,,,,,,,,,,,,,,MSOBBYSecoutlook.onmicrosoft.com,8/19/2021 3:02:10 PM
Mitigation & Recommendation
The vulnerability currently remains unfixed in Microsoft Azure Portal. Microsoft has asked to include the below statement:
We are working on defense in depth mitigation to ensure our customers are protected.
MSRC 06.12.2021
We recommend to not allow Dynamic Data Exchange (DDE) in your data processor like Microsoft Excel or LibreOffice Calc. Additionally, we recommend to not use CSV exports generated by the Azure Portal for automated processing while the vulnerability remains unfixed. In general, it is recommended to surround characters by double quotes (” “) or always escape characters that can be used as part of a formula injection such as:
- Equals to (=)
- Plus (+)
- Minus (-)
- At (@)
- Comma (,)
- Tab (0x09)
- Line feed (0x0a)
- Carriage return (0x0D)
Disclosure Policy
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability even though it remains unfixed.
Disclosure Timeline
| DATE | COMMENT |
|---|---|
| 21.08.2021 | Vulnerability Identification & Proof of Concept created |
| 21.08.2021 | Vulnerability reported to Microsoft Security Response Center (MSRC) |
| 23.08.2021 | MSRC requested Proof of Concept Video |
| 24.08.2021 | Proof of Concept Video provided |
| 25.08.2021 | MSRC Case 67001 was assigned |
| 15.09.2021 | Update Requested from MSRC |
| 15.09.2021 | MSRC confirmed the case is under investigation |
| 05.10.2021 | Update Requested from MSRC |
| 05.10.2021 | MSRC confirmed the case is under investigation |
| 19.11.2021 | Disclosure Deadline of 90 days Hit |
| 29.11.2021 | Informed MSRC about scheduled public disclosure at the 06/12/2021 |
| 01.12.2021 | MSRC asked for extension till end of December 2021 |
| 01.12.2021 | Request Declined |
| 06.12.2021 | MSRC requested to include a statement regarding the vulnerability |
| 06.12.2021 | Statement added to Mitigation & Recommendation |
| 06.12.2021 | Coordinated Public Disclosure |