Summary
Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability (CWE-1236). This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened.
Details
The User-Agent header that is stored when HTTP-based Canarytokens are triggered, is copied directly into exported CSV data.
The issue can be demonstrated simply. Assume an attacker has discovered a Canarytoken link; they can run a command such as:
$ curl -kis -H "User-Agent: =10+20+cmd|' /C calc'"'!'"A0" -kis <some-http-canarytoken-link>
Later on, when the Canarytoken owner exports the incident history as a CSV file and opens it on a Windows machine with Excel, it results in the execution of the payload (opening the calculator app in this case).
Scope of impact
The individuals impacted by this vulnerability are the owners of Canarytokens, as they are the only ones with access to export history to CSV. If they export alert logs containing the malicious payload and open them on their systems, they could inadvertently execute unauthorised commands or code such as a reverse shell for example.
Patches
This issue is now patched on Canarytokens.org.
Users of self-hosted Canarytokens installations can update by pulling the latest Docker image (or any Docker image after sha-346d25b4):
$ docker pull thinkst/canarytokens:latest
Acknowledgements
We thank @iodn for reporting this issue.
iodn Reporter
Summary
Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability (CWE-1236). This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened.
Details
The
User-Agentheader that is stored when HTTP-based Canarytokens are triggered, is copied directly into exported CSV data.The issue can be demonstrated simply. Assume an attacker has discovered a Canarytoken link; they can run a command such as:
Later on, when the Canarytoken owner exports the incident history as a CSV file and opens it on a Windows machine with Excel, it results in the execution of the payload (opening the calculator app in this case).
Scope of impact
The individuals impacted by this vulnerability are the owners of Canarytokens, as they are the only ones with access to export history to CSV. If they export alert logs containing the malicious payload and open them on their systems, they could inadvertently execute unauthorised commands or code such as a reverse shell for example.
Patches
This issue is now patched on Canarytokens.org.
Users of self-hosted Canarytokens installations can update by pulling the latest Docker image (or any Docker image after
sha-346d25b4):Acknowledgements
We thank @iodn for reporting this issue.