-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-020 Product: KIX Pro Manufacturer: c.a.p.e. IT GmbH Affected Version(s): 17.x.x, 18.x.x Tested Version(s): 17.5.0 Vulnerability Type: MS Excel CSV formula injection (CWE-20) Risk Level: Low Solution Status: Open Manufacturer Notification: 2022-02-21 Solution Date: No solution offered yet at time of disclosure Public Disclosure: 2022-05-10 CVE Reference: Not assigned Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: KIX Pro is an open-source, browser-based service system for professional IT and technical service. The manufacturer describes the product as follows (see [1]): "KIX Pro is the perfect service management system when it comes to qualified IT and technical service. In addition to offering comprehensive management of service contracts and Service Level Agreements (SLAs), its range of features also includes numerous functions that provide efficient support during service delivery." Due to insufficient server-side validation of user input, KIX Pro is vulnerable to MS Excel formula injection via ticket meta data. If a ticket list is exported as a CSV file and imported into MS Excel, the injected code is executed automatically. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The KIX Pro search function provides the option of exporting search results into a CSV file. On an MS Windows platform, such files are usually imported into MS Excel. In a CSV file, it is possible to define formulae that are automatically executed in MS Excel after the import. An attacker with access to an account with write privileges can create new tickets containing crafted payloads that define such formulae. If a victim exports search results containing such tickets into a CSV file, stores the file locally, imports the data into MS Excel, and allows formula execution (ignoring a warning issued by the system), the injected code is executed automatically on the victim's local computer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An authenticated attacker with write privileges creates a new ticket with the following title (subject): =cmd|'/C calc.exe'!Z0 An authenticated victim starts a search whose results include the ticket containing the crafted payload and chooses to export the search results as a CSV file. After storing the file locally and then importing it into MS Excel, the local file calc.exe is executed automatically (which launches the standard MS Windows desktop calculator). The victim must, however, allow formula execution, in spite of a system-issued warning. For other (truly malicious) attack payloads, see [2]. In the above description of the vulnerability, the term "local computer" is used in order to emphasize the fact that the attack affects the client-side system rather than the server. Note, however, that, if the victim is accessing the web application via, e.g., a terminal server, the latter may be affected rather than the victim's local computer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: No solution has been offered yet at time of disclosure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-02-16: Vulnerability discovered 2022-03-15: Vulnerability reported to manufacturer 2022-05-10: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for KIX Pro https://www.kixdesk.com/en/products/kix-pro/ [2] "Formula Injection", an article by PenTest Magazine https://pentestmag.com/formula-injection/ [3] SySS Security Advisory SYSS-2022-020 "MS Excel CSV formula injection in KIX Pro" https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-020.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Vladimir Bostanov of SySS GmbH. E-Mail: vladimir.bostanov@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc Key ID: 0xA589542B Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS GmbH web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAmJ6ehEaHHZsYWRpbWly LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCuP/Q/7BN4lM/kHU6JcmzfFC0ku Dg6lpNMPX+NTA+2etbL4Xl8nSxQZhNcQIhvkGKgDRalYQVFg7n2taehy5czHy8XD KqILTkey/1x9PVFcEYzXD73N1lCjzJ6wC5VtZW8ukmQI55lxeKmtBTo9X5vw6qFK EEDlBYxhHFsuxwimK55XMKfi7O2kO1p3Fl4a+y5/GSfdV7YyWmekNkiAYyPhxBX0 XQk6sixW1gixTSwzi0lpWEfJswvAJbtd1mhA7B9G27A5mzMMD0RQPexy0CX5Fcew owitiF0bjeLvOAongBTRDfKGVNONmRC9drDEoeKtRPXRylmT5cXHFEbHGmvujRpQ zzM0v88G1TC2DWUIGOF83p0VX6d8FUmHaCAqaNm5Tj9cf2MNgUVyMYVotlDc+y2V solJtqNktCxG+XJZIjMpp1Viu5vppvnuYWDdnMPMkQAnLdLA7+EQINTyR4pxBGON CdHgGFxRk8BgT8UmkXFhPKVdPtdAIiZ4RCafEQYsaKu3RxFaW/H9UqejLRhbG4kE hMdAgdGtx6yfWQRFdfreNrnnum/mnal/U+Mkya8x9/+hnlddCJZTaj5SYta803zl 9yng34Vzme6/OzST/sIgpP17Au/nkOsgGGNXtW9QNDaHTnxuwyI+Sq1ZyeKVBbYg oET82zUv9JQnjP9zMkkAV80= =ZCi1 -----END PGP SIGNATURE-----