export to rce
play

Export to RCE Adam Greenhill SecurityCompass Who am I? Senior - PowerPoint PPT Presentation

Aug 23, 2022 •170 likes •605 views

Export to RCE Adam Greenhill SecurityCompass Who am I? Senior Consultant @ Security Compass OSCP Graduated Sheridan Colleges Honours Bachelor of Applied Information Sciences (Information Systems Security) Fun fact:

  1. Export to RCE Adam Greenhill SecurityCompass

  2. Who am I? ● Senior Consultant @ Security Compass OSCP ● ● Graduated Sheridan College’s Honours Bachelor of Applied Information Sciences (Information Systems Security) ● Fun fact: I dislike everything about Twitter

  3. Shameless plug (Don’t google that) We’re hiring: https://securitycompass.com/careers/

  4. Many years ago...

  5. Year,Make,Model,Description,Price 1997,Ford,E350,"ac, abs, moon",3000.00 1999,Chevy,"Venture ""Extended Edition""","",4900.00 1999,Chevy,"Venture ""Extended Edition, Very Large""",,5000.00 1996,Jeep,Grand Cherokee,"MUST SELL! air, moon roof, loaded",4799.00 https://en.wikipedia.org/wiki/Comma-separated_values cat test.csv

  6. CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. =cmd|' /C calc '!'A1' https://www.owasp.org/index.php/CSV_Injection CSV Injection / Formula Injection

  7. Microsoft Excel!

  9. =CMD(Command) - Execute system commands =HYPERLINK(URL, “Friendly Name”) - Create URLs =WEBSERVICE(URL) - Perform API calls =FILTERXML(URL, xpath_query) - Performs XML related web requests* * - Thank you Brynn! :D Recap

  10. Can you think of any attacks?

  11. Web apps: ● Financial sites ● CMS backup functionality ● Geographic data Where?

  12. Attacker performs an e-transfer to another account. In the comment field they enter =cmd|' /C calc '!'A1' Example Scenario

  13. Payload gets stored in the database Example Scenario

  14. Victim exports all transactions to CSV Example Scenario

  15. Poisoned CSV created Example Scenario

  16. Victim opens poisoned CSV file in Excel Example Scenario

  17. “Victim” is able to execute arbitrary code against “attacker” Example Scenario

  18. Tools

  19. Cray

  20. https://www.exploit-db.com/exploits/44899 Demo

  21. git clone https://github.com/sullo/nikto cd nikto git checkout 098177b01729ae33a260ff1bc43cff3e425f7c7e https://github.com/sullo/nikto/commits/master?after=9dbf5f2e5464959f3bb01d9b3e761427aa8a511c+104 cp -f ./program/plugins/nikto_report_csv.plugin /var/lib/nikto/plugins/nikto_report_csv.plugin nikto -h 127.0.0.1 -o injection.csv curl -v 127.0.0.1 Demo

  23. It’s rewind time

  24. “Attacker” uses Nikto Replay

  25. Nikto scans “victim” server Replay

  26. Nikto outputs results into CSV Replay

  27. Victim opens poisoned CSV file in Excel Replay

  28. “Victim” is able to execute arbitrary code against “attacker” Replay

  29. This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters: ● Equals to ("=") ● Plus ("+") ● Minus ("-") ● At ("@")" https://www.owasp.org/index.php/CSV_Injection Remediation

  30. https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7 Remediation

  31. https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7 Remediation

  32. https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7 Remediation

  33. Defense in depth

  34. Disable Dynamic Data Exchange File -> Options Trust Center -> Trust Center Settings Defenses

  35. Disable Dynamic Data Exchange Uncheck the following two options: ● Enable Dynamic Data Exchange Server Lookup ● Enable Dynamic Data Exchange Server Launch Defenses

  37. Bill Bill Bill

  38. Excel isn’t the only culprit… A number of Microsoft products use the Dynamic Data Exchange (DDE) protocol Future research

  39. 1. Understand the technologies that you’re working with 2. Sanitize your inputs 3. Sanitize your outputs 4. If you’re not using it disable it Key takeaways

  40. Questions or concerns?

  41. https://www.linkedin.com/in/adamgreenhill/ Thank you!

  42. ● https://payatu.com/csv-injection-basic-to-exploit/ https://pentestlab.blog/2018/01/16/microsoft-office-dd ● e-attacks/ https://attack.mitre.org/techniques/T1173/ ● ● https://www.owasp.org/index.php/CSV_Injection https://github.com/sullo/nikto ● ● https://pixabay.com/ https://giphy.com ● References

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How to export Image and Animation 1. When we finished our design, we need export it. Sometimes we

How to export Image and Animation 1. When we finished our design, we need export it. Sometimes we

How to export Image and Animation 1. When we finished our design, we need export it. Sometimes we need export a picture, sometimes we need export to video, GIF or SWF, sometimes we need the transparent background, sometimes we dont. So, we

207 views • 3 slides
Kildare Export Success Seminar Kilian Duignan Export Success Seminar Export Success Seminar

Kildare Export Success Seminar Kilian Duignan Export Success Seminar Export Success Seminar

Local Enterprise Office Kildare Export Success Seminar Kilian Duignan Export Success Seminar Export Success Seminar Export Success Seminar Export Success Seminar Jan 13 th 2019 Dyson to move company HQ to Singapore CEO says plan is more

493 views • 20 slides
S.P.A.C.E. Export Compliance Awareness S.P.A.C.E. Training Session 5- Export Controls Robert

S.P.A.C.E. Export Compliance Awareness S.P.A.C.E. Training Session 5- Export Controls Robert

S.P.A.C.E. Export Compliance Awareness S.P.A.C.E. Training Session 5- Export Controls Robert Phillips Rutgers Export Compliance Officer 11/20/2018 Objectives Create open dialogue on Export control law awareness with Rutgers University

795 views • 33 slides
Export Capacity Building Programme Day 2 Understanding Business and Export Finance 5 th & 6

Export Capacity Building Programme Day 2 Understanding Business and Export Finance 5 th & 6

Export Capacity Building Programme Day 2 Understanding Business and Export Finance 5 th & 6 th December 2016 Content Day 2 Understanding business Finance Cash flow cycle Reading Reports Using ratios Pricing for export

720 views • 31 slides
Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa

Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa

Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa Nash Export Control Officer, NDSU Why Should You Care About Export Controls? so you can avoid HERE. When Should You Care? NOW. U.S. export

758 views • 65 slides
The changing landscape of export diversification 1 5 July 2 0 1 6 PRESENTATION Export

The changing landscape of export diversification 1 5 July 2 0 1 6 PRESENTATION Export

The changing landscape of export diversification 1 5 July 2 0 1 6 PRESENTATION Export Diversification and Linking into Global Value Chains: Tangible Solutions and Strategies By Rashmi Banga, Head and Advisor, Trade Competitiveness Section,

473 views • 13 slides
Export opportunities via Canberra Airport 1.Potential markets 2.Potential export opportunities

Export opportunities via Canberra Airport 1.Potential markets 2.Potential export opportunities

Canberra Region Air Freight Forum , 31 October 2017 Wayne Murphy Regional Export Adviser / TradeStart Adviser, NSW Department of Industry Export opportunities via Canberra Airport 1.Potential markets 2.Potential export opportunities

458 views • 17 slides
EXPORT CONTROL IN THE STATLER COLLEGE OF ENGINEERING AND MINERAL RESOURCES Gary J. Morris, Ph.D.,

EXPORT CONTROL IN THE STATLER COLLEGE OF ENGINEERING AND MINERAL RESOURCES Gary J. Morris, Ph.D.,

EXPORT CONTROL IN THE STATLER COLLEGE OF ENGINEERING AND MINERAL RESOURCES Gary J. Morris, Ph.D., Export Control Officer Nancy L. Draper, Senior Export Control Analyst Abigail A. Wolfe, Export Control Legal Intern October 15, 2015 Associate VP

749 views • 35 slides
EXPORT PANORAMA Top Ten U.S. Dry Ben Export Markets (MT) 1 EXPORTS TO THE AMERICAS US Dry Bean

EXPORT PANORAMA Top Ten U.S. Dry Ben Export Markets (MT) 1 EXPORTS TO THE AMERICAS US Dry Bean

TRENDS IN GLOBAL DRY BEAN MARKETING REBECCA BRATTER EXECUTIVE DIRECTOR EXPORT PANORAMA Top Ten U.S. Dry Ben Export Markets (MT) 1 EXPORTS TO THE AMERICAS US Dry Bean Exports to South and Central America & the Caribbean Top

498 views • 14 slides
GLOBAL BRA Z IL EXPORT Global Brazil Export was brought to life by a partnership between two of the

GLOBAL BRA Z IL EXPORT Global Brazil Export was brought to life by a partnership between two of the

GLOBAL BRA Z IL EXPORT Global Brazil Export was brought to life by a partnership between two of the most capable enterprises on the business of logistics and exportation, with the sole aim to ofger you an extraordinary service. Together, Gonalves

318 views • 16 slides
EXPORT TO RUSSIA WORKSHOP Who are we B2B-Export.com is an online trading platform, media

EXPORT TO RUSSIA WORKSHOP Who are we B2B-Export.com is an online trading platform, media

EXPORT TO RUSSIA WORKSHOP Who are we B2B-Export.com is an online trading platform, media resource and professional community that allows for international trade between Russia, Africa, Latin America, Asia and the Middle East What we do

295 views • 16 slides
NOVEMBER 20, 2018 ONTARIOEXPORTAWARDS.CA PRESENTED BY THE EXPORT AWARDS EXPERIENCE 2017 was a

NOVEMBER 20, 2018 ONTARIOEXPORTAWARDS.CA PRESENTED BY THE EXPORT AWARDS EXPERIENCE 2017 was a

NOVEMBER 20, 2018 ONTARIOEXPORTAWARDS.CA PRESENTED BY THE EXPORT AWARDS EXPERIENCE 2017 was a booming year for Ontario exports, according to Export Development Canadas Fall Global Export Forecast . Helped along by the weaker Canadian dollar,

258 views • 6 slides
Director of Export Development Cooperation Directorate General of National Export Development on

Director of Export Development Cooperation Directorate General of National Export Development on

Presentation by Marolop Nainggolan Director of Export Development Cooperation Directorate General of National Export Development on Expanding the Growth of SME Exports to Canada and the World TPSA Project Final Conference - June 26,

875 views • 20 slides
Export Strategy Export Development Strategies that Succeed Study Tour for Trade Officials from

Export Strategy Export Development Strategies that Succeed Study Tour for Trade Officials from

Export Strategy Export Development Strategies that Succeed Study Tour for Trade Officials from Kosovo Geneva, 18 May 2010 Stephen Browne and Sophie Krantz Export Development Strategies that Succeed Role of Trade Policy The ultimate objective

595 views • 23 slides
LAC 4932 C-130H WARNING This document contains technical data whose export may be

LAC 4932 C-130H WARNING This document contains technical data whose export may be

LAC 4932 C-130H WARNING This document contains technical data whose export may be restricted by the Arms Export Control Act (Title 22, USC, Sec 2751, et seq) or the Export Administration Act of 1979 as amended, Title 50, USC, App 2401,

444 views • 15 slides
Smoothing out the Bumpy Road to Export Success: Evaluating Export Promotion Activities in Belgium

Smoothing out the Bumpy Road to Export Success: Evaluating Export Promotion Activities in Belgium

Introduction Literature Data Methodology Results Conclusions Smoothing out the Bumpy Road to Export Success: Evaluating Export Promotion Activities in Belgium Annette D. Schminke Jo Van Biesebroeck University of Leuven December 6, 2012

238 views • 22 slides
More than you ever wanted to know about CSV Digging into the CSV script Script Outline Load file

More than you ever wanted to know about CSV Digging into the CSV script Script Outline Load file

More than you ever wanted to know about CSV Digging into the CSV script Script Outline Load file Split by line into records Split by delimiter into fields Test for a condition (field 2 != "Ensign") Print out another column (field 1

146 views • 3 slides
Manipulating Data Files in Python Learning Objectives Working with CSV files Reading

Manipulating Data Files in Python Learning Objectives Working with CSV files Reading

Manipulating Data Files in Python Learning Objectives Working with CSV files Reading and writing Moving into and out of data structures Accessing files in other folders JSON files Reading and writing Regular

519 views • 36 slides
CSE 115 Introduction to Computer Science I Road map Review Exercises from last time

CSE 115 Introduction to Computer Science I Road map Review Exercises from last time

CSE 115 Introduction to Computer Science I Road map Review Exercises from last time Reading csv files exercise File reading A b i t o f t e x t \n o n s e v e r a l l i n e s \n A text file is a sequence of

700 views • 37 slides
Introduction read.csv Importing Data in R Importing data in R ? Importing Data in R 5 types

Introduction read.csv Importing Data in R Importing data in R ? Importing Data in R 5 types

IMPORTING DATA IN R Introduction read.csv Importing Data in R Importing data in R ? Importing Data in R 5 types Flat files Data from Excel Databases Web Statistical so ware Importing Data in R Flat

245 views • 21 slides
Mixed models in R using the lme4 package Part 1: Introduction to R Douglas Bates University of

Mixed models in R using the lme4 package Part 1: Introduction to R Douglas Bates University of

Web site Data Variables Subsets Mixed models in R using the lme4 package Part 1: Introduction to R Douglas Bates University of Wisconsin - Madison and R Development Core Team <Douglas.Bates@R-project.org> UseR!2009, Rennes, France

658 views • 27 slides
OFFICE HOURS ESG-CV Reporting Prepared: September 22-24,2020 Call in If you are having audio

OFFICE HOURS ESG-CV Reporting Prepared: September 22-24,2020 Call in If you are having audio

OFFICE HOURS ESG-CV Reporting Prepared: September 22-24,2020 Call in If you are having audio difficulty using your computer, please call in using one of the following phone numbers: US Toll free +1-855-797-9485 US Toll +1-415-655-0002

476 views • 10 slides
Excel l as as a a Tool to Troubleshoot SIS IS Data for EMIS Reporting Overv ervie iew

Excel l as as a a Tool to Troubleshoot SIS IS Data for EMIS Reporting Overv ervie iew

11/30/2016 Excel l as as a a Tool to Troubleshoot SIS IS Data for EMIS Reporting Overv ervie iew Basic Excel techniques can be used to analyze EMIS data from Student Information Systems (SISs), from the Data Collector and on ODE EMIS

787 views • 27 slides
INFORMATION VISUALIZATION Alvitta Ottley Washington University in St. Louis CSE 557A: INFORMATION

INFORMATION VISUALIZATION Alvitta Ottley Washington University in St. Louis CSE 557A: INFORMATION

CSE 557A | Sep 14, 2016 INFORMATION VISUALIZATION Alvitta Ottley Washington University in St. Louis CSE 557A: INFORMATION VISUALIZATION 1 Assignment 1: Bar and Line Chart Due: 09-28-2016, 11:59pm (midnight) In this assignment, you will be

668 views • 34 slides

More recommend