Anviz AIM CrossChex Standard 4.3 Excel Macro Injection
Vendor: Anviz Biometric Technology Co., Ltd.
Product web page: https://www.anviz.com
Affected version: 188.8.131.52
Summary: Access Control and Time Attendance Management
System. Complying with our self-developed fingerprint,
facial, iris, etc. devices, CrossChex Standard integrates
intelligent management of time attendance and relevant
functions of access control. It has been widely used in
many office buildings and factories across the world,
continuously serving access control and management
requests from many companies with stable performance,
accurate calculation, safe management and high intelligence.
Desc: CSV (XLS) Injection (Excel Macro Injection or Formula
Injection) exists in the AIM CrossChex 4.3 when importing
or exporting users using xls Excel file. This can be exploited
to execute arbitrary commands on the affected system via
SE attacks when an attacker inserts formula payload in the
'Name' field when adding a user or using the custom fields
'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date'
and 'Address'. Upon importing, the application will launch
Excel program and execute the malicious macro formula.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Advisory ID: ZSL-2018-5498
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php
From the menu:
User -> Add -> use payload: =cmd|' /C mspaint'!L337
User -> Import / Export: use payload: =cmd|' /C mspaint'!L337